Appendix B to Part 30 - Interagency Guidelines Establishing Information Security Standards
12:1.0.1.1.27.0.28.7.14 : Appendix B
Appendix B to Part 30 - Interagency Guidelines Establishing
Information Security Standards Table of Contents I. Introduction A.
Scope B. Preservation of Existing Authority C. Definitions II.
Standards for Safeguarding Customer Information A. Information
Security Program B. Objectives III. Development and Implementation
of Customer Information Security Program A. Involve the Board of
Directors B. Assess Risk C. Manage and Control Risk D. Oversee
Service Provider Arrangements E. Adjust the Program F. Report to
the Board G. Implement the Standards
I. Introduction
The Interagency Guidelines Establishing Information Security
Standards (Guidelines) set forth standards pursuant to section 39
of the Federal Deposit Insurance Act (section 39, codified at 12
U.S.C. 1831p-1), and sections 501 and 505(b), codified at 15 U.S.C.
6801 and 6805(b) of the Gramm-Leach Bliley Act. These Guidelines
address standards for developing and implementing administrative,
technical, and physical safeguards to protect the security,
confidentiality, and integrity of customer information. These
Guidelines also address standards with respect to the proper
disposal of consumer information, pursuant to sections 621 and 628
of the Fair Credit Reporting Act (15 U.S.C. 1681s and 1681w).
A. Scope. The Guidelines apply to customer information
maintained by or on behalf of entities over which the OCC has
authority. Such entities, referred to as “the national bank or
Federal savings association,” are national banks, Federal savings
associations, Federal branches and Federal agencies of foreign
banks, and any subsidiaries of such entities (except brokers,
dealers, persons providing insurance, investment companies, and
investment advisers). The Guidelines also apply to the proper
disposal of consumer information by or on behalf of such
entities.
B. Preservation of Existing Authority. Neither section 39
nor these Guidelines in any way limit the authority of the OCC to
address unsafe or unsound practices, violations of law, unsafe or
unsound conditions, or other practices. The OCC may take action
under section 39 and these Guidelines independently of, in
conjunction with, or in addition to, any other enforcement action
available to the OCC.
C. Definitions. 1. Except as modified in the Guidelines,
or unless the context otherwise requires, the terms used in these
Guidelines have the same meanings as set forth in sections 3 and 39
of the Federal Deposit Insurance Act (12 U.S.C. 1813 and
1831p-1).
2. For purposes of the Guidelines, the following definitions
apply:
a. Board of directors, in the case of a branch or agency
of a foreign bank, means the managing official in charge of the
branch or agency.
b. Consumer information means any record about an
individual, whether in paper, electronic, or other form, that is a
consumer report or is derived from a consumer report and that is
maintained or otherwise possessed by or on behalf of the national
bank or Federal savings association for a business purpose.
Consumer information also means a compilation of such records. The
term does not include any record that does not identify an
individual.
i. Examples. (1) Consumer information
includes:
(A) A consumer report that a national bank or Federal savings
association obtains;
(B) Information from a consumer report that the national bank or
Federal savings association obtains from its affiliate after the
consumer has been given a notice and has elected not to opt out of
that sharing;
(C) Information from a consumer report that the national bank or
Federal savings association obtains about an individual who applies
for but does not receive a loan, including any loan sought by an
individual for a business purpose;
(D) Information from a consumer report that the national bank or
Federal savings association obtains about an individual who
guarantees a loan (including a loan to a business entity); or
(E) Information from a consumer report that the national bank or
Federal savings association obtains about an employee or
prospective employee.
(2) Consumer information does not include:
(A) Aggregate information, such as the mean credit score,
derived from a group of consumer reports; or
(B) Blind data, such as payment history on accounts that are not
personally identifiable, that may be used for developing credit
scoring models or for other purposes.
c. Consumer report has the same meaning as set forth in
the Fair Credit Reporting Act, 15 U.S.C. 1681a(d).
d. Customer means any customer of the national bank or
Federal savings association as defined in 12 CFR 1016.3(i).
e. Customer information means any record containing
nonpublic personal information, as defined in 12 CFR 1016.3(p),
about a customer, whether in paper, electronic, or other form, that
is maintained by or on behalf of the national bank or Federal
savings association.
f. Customer information systems means any methods used to
access, collect, store, use, transmit, protect, or dispose of
customer information.
g. Service provider means any person or entity that
maintains, processes, or otherwise is permitted access to customer
information or consumer information through its provision of
services directly to the national bank or Federal savings
association.
II. Standards for Information Security
A. Information Security Program. Each national bank or
Federal savings association shall implement a comprehensive written
information security program that includes administrative,
technical, and physical safeguards appropriate to the size and
complexity of the national bank or Federal savings association and
the nature and scope of its activities. While all parts of the
national bank or Federal savings association are not required to
implement a uniform set of policies, all elements of the
information security program must be coordinated.
B. Objectives. A national bank's or Federal savings
association's information security program shall be designed
to:
1. Ensure the security and confidentiality of customer
information;
2. Protect against any anticipated threats or hazards to the
security or integrity of such information;
3. Protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience
to any customer; and
4. Ensure the proper disposal of customer information and
consumer information.
III. Development and Implementation of Information Security Program
A. Involve the Board of Directors. The board of directors
or an appropriate committee of the board of each national bank or
Federal savings association shall:
1. Approve the national bank's or Federal savings association's
written information security program; and
2. Oversee the development, implementation, and maintenance of
the national bank's or Federal savings association's information
security program, including assigning specific responsibility for
its implementation and reviewing reports from management.
B. Assess Risk. Each national bank or Federal savings
association shall:
1. Identify reasonably foreseeable internal and external threats
that could result in unauthorized disclosure, misuse, alteration,
or destruction of customer information or customer information
systems.
2. Assess the likelihood and potential damage of these threats,
taking into consideration the sensitivity of customer
information.
3. Assess the sufficiency of policies, procedures, customer
information systems, and other arrangements in place to control
risks.
C. Manage and Control Risk. Each national bank or Federal
savings association shall:
1. Design its information security program to control the
identified risks, commensurate with the sensitivity of the
information as well as the complexity and scope of the national
bank's or Federal savings association's activities. Each national
bank or Federal savings association must consider whether the
following security measures are appropriate for the national bank
or Federal savings association and, if so, adopt those measures the
national bank or Federal savings association concludes are
appropriate:
a. Access controls on customer information systems, including
controls to authenticate and permit access only to authorized
individuals and controls to prevent employees from providing
customer information to unauthorized individuals who may seek to
obtain this information through fraudulent means.
b. Access restrictions at physical locations containing customer
information, such as buildings, computer facilities, and records
storage facilities to permit access only to authorized
individuals;
c. Encryption of electronic customer information, including
while in transit or in storage on networks or systems to which
unauthorized individuals may have access;
d. Procedures designed to ensure that customer information
system modifications are consistent with the national bank's or
Federal savings association's information security program;
e. Dual control procedures, segregation of duties, and employee
background checks for employees with responsibilities for or access
to customer information;
f. Monitoring systems and procedures to detect actual and
attempted attacks on or intrusions into customer information
systems;
g. Response programs that specify actions to be taken when the
national bank or Federal savings association suspects or detects
that unauthorized individuals have gained access to customer
information systems, including appropriate reports to regulatory
and law enforcement agencies; and
h. Measures to protect against destruction, loss, or damage of
customer information due to potential environmental hazards, such
as fire and water damage or technological failures.
2. Train staff to implement the national bank's or Federal
savings association's information security program.
3. Regularly test the key controls, systems and procedures of
the information security program. The frequency and nature of such
tests should be determined by the national bank's or Federal
savings association's risk assessment. Tests should be conducted or
reviewed by independent third parties or staff independent of those
that develop or maintain the security programs.
4. Develop, implement, and maintain, as part of its information
security program, appropriate measures to properly dispose of
customer information and consumer information in accordance with
each of the requirements of this paragraph III.
D. Oversee Service Provider Arrangements. Each national
bank or Federal savings association shall:
1. Exercise appropriate due diligence in selecting its service
providers;
2. Require its service providers by contract to implement
appropriate measures designed to meet the objectives of these
Guidelines; and
3. Where indicated by the national bank's or Federal savings
association's risk assessment, monitor its service providers to
confirm that they have satisfied their obligations as required by
section D.2. As part of this monitoring, a national bank or Federal
savings association should review audits, summaries of test
results, or other equivalent evaluations of its service
providers.
E. Adjust the Program. Each national bank or Federal
savings association shall monitor, evaluate, and adjust, as
appropriate, the information security program in light of any
relevant changes in technology, the sensitivity of its customer
information, internal or external threats to information, and the
national bank's or Federal savings association's own changing
business arrangements, such as mergers and acquisitions, alliances
and joint ventures, outsourcing arrangements, and changes to
customer information systems.
F. Report to the Board. Each national bank or Federal
savings association shall report to its board or an appropriate
committee of the board at least annually. This report should
describe the overall status of the information security program and
the national bank's or Federal savings association's compliance
with these Guidelines. The reports should discuss material matters
related to its program, addressing issues such as: risk assessment;
risk management and control decisions; service provider
arrangements; results of testing; security breaches or violations
and management's responses; and recommendations for changes in the
information security program.
G. Implement the Standards. 1. Effective date.
Each national bank or Federal savings association must implement an
information security program pursuant to these Guidelines by July
1, 2001.
2. Two-year grandfathering of agreements with service
providers. Until July 1, 2003, a contract that a national bank
or Federal savings association has entered into with a service
provider to perform services for it or functions on its behalf
satisfies the provisions of section III.D., even if the contract
does not include a requirement that the servicer maintain the
security and confidentiality of customer information, as long as
the national bank or Federal savings association entered into the
contract on or before March 5, 2001.
3. Effective date for measures relating to the disposal of
consumer information. Each national bank or Federal savings
association must satisfy these Guidelines with respect to the
proper disposal of consumer information by July 1, 2005.
4. Exception for existing agreements with service providers
relating to the disposal of consumer information.
Notwithstanding the requirement in paragraph III.G.3., a national
bank's or Federal savings association's contracts with its service
providers that have access to consumer information and that may
dispose of consumer information, entered into before July 1, 2005,
must comply with the provisions of the Guidelines relating to the
proper disposal of consumer information by July 1, 2006.
Supplement A to Appendix B to Part 30 - Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information
and Customer Notice I. Background
This Guidance 1 interprets section 501(b) of the
Gramm-Leach-Bliley Act (“GLBA”) and the Interagency Guidelines
Establishing Information Security Standards (the “Security
Guidelines”) 2 and describes response programs, including customer
notification procedures, that a financial institution should
develop and implement to address unauthorized access to or use of
customer information that could result in substantial harm or
inconvenience to a customer. The scope of, and definitions of terms
used in, this Guidance are identical to those of the Security
Guidelines. For example, the term “customer information” is the
same term used in the Security Guidelines, and means any record
containing nonpublic personal information about a customer, whether
in paper, electronic, or other form, maintained by or on behalf of
the institution.
1 This Guidance was jointly issued by the Board of Governors of
the Federal Reserve System (Board), the Federal Deposit Insurance
Corporation (FDIC), the Office of the Comptroller of the Currency
(OCC), and the Office of Thrift Supervision (OTS). Pursuant to 12
U.S.C. 5412, the OTS is no longer a party to this Guidance.
2 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2 and
part 225, app. F (Board); and 12 CFR part 364, app. B and 12 CFR
391.5 (FDIC). The “Interagency Guidelines Establishing Information
Security Standards” were formerly known as “The Interagency
Guidelines Establishing Standards for Safeguarding Customer
Information.”
A. Interagency Security Guidelines
Section 501(b) of the GLBA required the Agencies to establish
appropriate standards for financial institutions subject to their
jurisdiction that include administrative, technical, and physical
safeguards, to protect the security and confidentiality of customer
information. Accordingly, the Agencies issued Security Guidelines
requiring every financial institution to have an information
security program designed to:
1. Ensure the security and confidentiality of customer
information;
2. Protect against any anticipated threats or hazards to the
security or integrity of such information; and
3. Protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience
to any customer.
B. Risk Assessment and Controls
1. The Security Guidelines direct every financial institution to
assess the following risks, among others, when developing its
information security program:
a. Reasonably foreseeable internal and external threats that
could result in unauthorized disclosure, misuse, alteration, or
destruction of customer information or customer information
systems;
b. The likelihood and potential damage of threats, taking into
consideration the sensitivity of customer information; and
c. The sufficiency of policies, procedures, customer information
systems, and other arrangements in place to control risks. 3
3 See Security Guidelines, III.B.
2. Following the assessment of these risks, the Security
Guidelines require a financial institution to design a program to
address the identified risks. The particular security measures an
institution should adopt will depend upon the risks presented by
the complexity and scope of its business. At a minimum, the
financial institution is required to consider the specific security
measures enumerated in the Security Guidelines, 4 and adopt those
that are appropriate for the institution, including:
4 See Security Guidelines, III.C.
a. Access controls on customer information systems, including
controls to authenticate and permit access only to authorized
individuals and controls to prevent employees from providing
customer information to unauthorized individuals who may seek to
obtain this information through fraudulent means;
b. Background checks for employees with responsibilities for
access to customer information; and
c. Response programs that specify actions to be taken when the
financial institution suspects or detects that unauthorized
individuals have gained access to customer information systems,
including appropriate reports to regulatory and law enforcement
agencies. 5
5 See Security Guidelines, III.C.
C. Service Providers
The Security Guidelines direct every financial institution to
require its service providers by contract to implement appropriate
measures designed to protect against unauthorized access to or use
of customer information that could result in substantial harm or
inconvenience to any customer. 6
6 See Security Guidelines, II.B. and III.D. Further, the
Agencies note that, in addition to contractual obligations to a
financial institution, a service provider may be required to
implement its own comprehensive information security program in
accordance with the Safeguards Rule promulgated by the Federal
Trade Commission (“FTC”), 16 CFR part 314.
II. Response Program
Millions of Americans, throughout the country, have been victims
of identity theft. 7 Identity thieves misuse personal information
they obtain from a number of sources, including financial
institutions, to perpetrate identity theft. Therefore, financial
institutions should take preventative measures to safeguard
customer information against attempts to gain unauthorized access
to the information. For example, financial institutions should
place access controls on customer information systems and conduct
background checks for employees who are authorized to access
customer information. 8 However, every financial institution should
also develop and implement a risk-based response program to address
incidents of unauthorized access to customer information in
customer information systems 9 that occur nonetheless. A response
program should be a key part of an institution's information
security program. 10 The program should be appropriate to the size
and complexity of the institution and the nature and scope of its
activities.
7 The FTC estimates that nearly 10 million Americans discovered
they were victims of some form of identity theft in 2002.
See The Federal Trade Commission, Identity Theft Survey
Report, (September 2003), available at
http://www.ftc.gov/os/2003/09/synovatereport.pdf.
8 Institutions should also conduct background checks of
employees to ensure that the institution does not violate 12 U.S.C.
1829, which prohibits an institution from hiring an individual
convicted of certain criminal offenses or who is subject to a
prohibition order under 12 U.S.C. 1818(e)(6).
9 Under the Guidelines, an institution's customer information
systems consist of all of the methods used to access, collect,
store, use, transmit, protect, or dispose of customer information,
including the systems maintained by its service providers.
See Security Guidelines, I.C.2.d.
10 See FFIEC Information Technology Examination Handbook,
Information Security Booklet, Dec. 2002 available at
http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm.
Federal Reserve SR 97-32, Sound Practice Guidance for Information
Security for Networks, Dec. 4, 1997; OCC Bulletin 2000-14,
“Infrastructure Threats - Intrusion Risks” (May 15, 2000), for
additional guidance on preventing, detecting, and responding to
intrusions into financial institution computer systems.
In addition, each institution should be able to address
incidents of unauthorized access to customer information in
customer information systems maintained by its domestic and foreign
service providers. Therefore, consistent with the obligations in
the Guidelines that relate to these arrangements, and with existing
guidance on this topic issued by the Agencies, 11 an institution's
contract with its service provider should require the service
provider to take appropriate actions to address incidents of
unauthorized access to the financial institution's customer
information, including notification to the institution as soon as
possible of any such incident, to enable the institution to
expeditiously implement its response program.
11 See Federal Reserve SR Ltr. 13-19, Guidance on
Managing Outsourcing Risk, Dec. 5, 2013; OCC Bulletin 2013-29,
“Third-Party Relationships - Risk Management Guidance,” Oct. 30,
2013; and FDIC FIL 68-99, Risk Assessment Tools and Practices for
Information System Security, July 7, 1999.
A. Components of a Response Program
1. At a minimum, an institution's response program should
contain procedures for the following:
a. Assessing the nature and scope of an incident, and
identifying what customer information systems and types of customer
information have been accessed or misused;
b. Notifying its primary Federal regulator as soon as possible
when the institution becomes aware of an incident involving
unauthorized access to or use of sensitive customer
information, as defined below;
c. Consistent with the Agencies' Suspicious Activity Report
(“SAR”) regulations, 12 notifying appropriate law enforcement
authorities, in addition to filing a timely SAR in situations
involving Federal criminal violations requiring immediate
attention, such as when a reportable violation is ongoing;
12 An institution's obligation to file a SAR is set out in the
Agencies' SAR regulations and Agency guidance. See 12 CFR
21.11 (national banks, Federal branches and agencies); 12 CFR
163.180 (Federal savings associations); 12 CFR 208.62 (State member
banks); 12 CFR 211.5(k) (Edge and agreement corporations); 12 CFR
211.24(f) (uninsured State branches and agencies of foreign banks);
12 CFR 225.4(f) (bank holding companies and their nonbank
subsidiaries); 12 CFR part 353 (State non-member banks); and 12 CFR
390.355 (state savings associations). National banks and Federal
savings associations must file SARs in connection with computer
intrusions and other computer crimes. See OCC Bulletin
2000-14, “Infrastructure Threats - Intrusion Risks” (May 15, 2000);
see also Federal Reserve SR 01-11, Identity Theft and
Pretext Calling, Apr. 26, 2001.
d. Taking appropriate steps to contain and control the incident
to prevent further unauthorized access to or use of customer
information, for example, by monitoring, freezing, or closing
affected accounts, while preserving records and other evidence; 13
and
13 See FFIEC Information Technology Examination Handbook,
Information Security Booklet, Dec. 2002, pp. 68-74.
e. Notifying customers when warranted.
2. Where an incident of unauthorized access to customer
information involves customer information systems maintained by an
institution's service providers, it is the responsibility of the
financial institution to notify the institution's customers and
regulator. However, an institution may authorize or contract with
its service provider to notify the institution's customers or
regulator on its behalf.
III. Customer Notice
Financial institutions have an affirmative duty to protect their
customers' information against unauthorized access or use.
Notifying customers of a security incident involving the
unauthorized access or use of the customer's information in
accordance with the standard set forth below is a key part of that
duty. Timely notification of customers is important to manage an
institution's reputation risk. Effective notice also may reduce an
institution's legal risk, assist in maintaining good customer
relations, and enable the institution's customers to take steps to
protect themselves against the consequences of identity theft. When
customer notification is warranted, an institution may not forgo
notifying its customers of an incident because the institution
believes that it may be potentially embarrassed or inconvenienced
by doing so.
A. Standard for Providing Notice
When a financial institution becomes aware of an incident of
unauthorized access to sensitive customer information, the
institution should conduct a reasonable investigation to promptly
determine the likelihood that the information has been or will be
misused. If the institution determines that misuse of its
information about a customer has occurred or is reasonably
possible, it should notify the affected customer as soon as
possible. Customer notice may be delayed if an appropriate law
enforcement agency determines that notification will interfere with
a criminal investigation and provides the institution with a
written request for the delay. However, the institution should
notify its customers as soon as notification will no longer
interfere with the investigation.
1. Sensitive Customer Information
Under the Guidelines, an institution must protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer.
Substantial harm or inconvenience is most likely to result from
improper access to sensitive customer information because
this type of information is most likely to be misused, as in the
commission of identity theft. For purposes of this Guidance,
sensitive customer information means a customer's name,
address, or telephone number, in conjunction with the customer's
social security number, driver's license number, account number,
credit or debit card number, or a personal identification number or
password that would permit access to the customer's account.
Sensitive customer information also includes any combination
of components of customer information that would allow someone to
log onto or access the customer's account, such as user name and
password or password and account number.
2. Affected Customers
If a financial institution, based upon its investigation, can
determine from its logs or other data precisely which customers'
information has been improperly accessed, it may limit notification
to those customers with regard to whom the institution determines
that misuse of their information has occurred or is reasonably
possible. However, there may be situations where the institution
determines that a group of files has been accessed improperly, but
is unable to identify which specific customers' information has
been accessed. If the circumstances of the unauthorized access lead
the institution to determine that misuse of the information is
reasonably possible, it should notify all customers in the
group.
B. Content of Customer Notice
1. Customer notice should be given in a clear and conspicuous
manner. The notice should describe the incident in general terms
and the type of customer information that was the subject of
unauthorized access or use. It also should generally describe what
the institution has done to protect the customers' information from
further unauthorized access. In addition, it should include a
telephone number that customers can call for further information
and assistance. 14 The notice also should remind customers of the
need to remain vigilant over the next twelve to twenty-four months,
and to promptly report incidents of suspected identity theft to the
institution. The notice should include the following additional
items, when appropriate:
14 The institution should, therefore, ensure that it has
reasonable policies and procedures in place, including trained
personnel, to respond appropriately to customer inquiries and
requests for assistance.
a. A recommendation that the customer review account statements
and immediately report any suspicious activity to the
institution;
b. A description of fraud alerts and an explanation of how the
customer may place a fraud alert in the customer's consumer reports
to put the customer's creditors on notice that the customer may be
a victim of fraud;
c. A recommendation that the customer periodically obtain credit
reports from each nationwide credit reporting agency and have
information relating to fraudulent transactions deleted;
d. An explanation of how the customer may obtain a credit report
free of charge; and
e. Information about the availability of the FTC's online
guidance regarding steps a consumer can take to protect against
identity theft. The notice should encourage the customer to report
any incidents of identity theft to the FTC, and should provide the
FTC's Web site address and toll-free telephone number that
customers may use to obtain the identity theft guidance and report
suspected incidents of identity theft. 15
15 Currently, the FTC Web site for the ID Theft brochure and the
FTC Hotline phone number are http://www.consumer.gov/idtheft
and 1-877-IDTHEFT. The institution may also refer customers to any
materials developed pursuant to section 151(b) of the FACT Act
(educational materials developed by the FTC to teach the public how
to prevent identity theft).
2. The Agencies encourage financial institutions to notify the
nationwide consumer reporting agencies prior to sending notices to
a large number of customers that include contact information for
the reporting agencies.
C. Delivery of Customer Notice
Customer notice should be delivered in any manner designed to
ensure that a customer can reasonably be expected to receive it.
For example, the institution may choose to contact all customers
affected by telephone or by mail, or by electronic mail for those
customers for whom it has a valid e-mail address and who have
agreed to receive communications electronically.
[66 FR 8633, Feb. 1, 2001, as amended at 69 FR 77616, Dec. 28,
2004; 70 FR 15751, 15753, Mar. 29, 2005; 71 FR 5780, Feb. 3, 2006;
79 FR 54544, Sept. 11, 2014]