Interagency Guidelines Establishing Information Security Standards

AGENCY:

Board of Governors of the Federal Reserve System.

ACTION:

Final rule; technical amendment.

SUMMARY:

The Board of Governors of the Federal Reserve System (Board) is amending Appendix D-2 of Regulation H and Appendix F of Regulation Y to correct citations to rules on privacy of consumer financial information.

DATES:

Effective Date: This rule is effective July 31, 2014.

FOR FURTHER INFORMATION CONTACT:

Clinton Chen, Attorney, (202) 452-3952, Legal Division. For the hearing impaired only, Telecommunication Device for the Deaf (TDD), (202) 263-4869.

SUPPLEMENTARY INFORMATION:

Section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) requires the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision (the Agencies), as well as the National Credit Union, the Securities and Exchange Commission, and the Federal Trade Commission, to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to the administrative, technical, and physical safeguards for customer records and information.

In February 2001, the Agencies issued a joint final rule implementing guidelines for establishing standards for safeguarding customer information under section 501(b) of the GLB Act. The Board's versions of the guidelines (now entitled Interagency Guidelines Establishing Information Security Standards (Security Guidelines)) are codified in Appendix D-2 of Regulation H (12 CFR part 208) and Appendix F of Regulation Y (12 CFR part 225). In December 2004, the Agencies amended the Security Guidelines pursuant to section 628 of the Fair Credit Reporting Act, which requires proper disposal of consumer information. The Security Guidelines establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of consumer information. The Security Guidelines in the Board's Regulation H and Y currently cross-reference the definitions of “customer” and “customer information” in the Board's Regulation P (Privacy of Consumer Financial Information).

In May 2014, the Board approved the repeal of Regulation P, effective June 30, 2014. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority for a number of consumer financial protection laws from the Board and other agencies to the Consumer Financial Protection Bureau (CFPB), except with respect to certain motor vehicle dealers. The transfer includes rulemaking authority for Regulation P under the financial privacy provisions of the GLB Act. (The Dodd-Frank Act did not transfer responsibility for the Security Guidelines.) The CFPB has issued interim final rules that are substantially identical to the Board's Regulation P.

The Board is amending the cross-references in the Security Guidelines to refer to the CFPB's version of Regulation P. These amendments do not have any effect on the substantive requirements imposed by the Security Guidelines.

Administrative Procedure Act

In accordance with section 553(b) the Administrative Procedures Act (APA) (5 U.S.C. 553(b)), the Board finds, for good cause, that providing an opportunity for public comment is unnecessary. The amendments are solely technical amendments that change citations in two definitions from references to the Board's Regulation P to the CFPB's Regulation P, which contain identical definitions. The revisions result in no substantive change to the rule.

Paperwork Reduction Act

In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR part 1320 Appendix A.1), the Board has reviewed the final rule under authority delegated to the Board by the Office of Management and Budget. The technical amendments to the Security Guidelines will revise the cross-references in the Security Guidelines to refer to the CFPB's version of Regulation P. The amendments do not change any substantive requirements of the regulation or currently approved information collections. Therefore, no additional paperwork burden will be imposed as a result of this rulemaking.

List of Subjects

12 CFR Part 208

• Banks, banking
• Consumer protection
• Federal Reserve System
• Foreign banking
• Holding companies
• Information
• Privacy
• Reporting and recordkeeping requirements

12 CFR Part 225

• Administrative practice and procedure
• Banks, banking
• Federal Reserve System
• Holding companies
• Privacy
• Reporting and recordkeeping requirements
• Securities

Authority and Issuance

For the reasons set forth in the preamble, the Board amends Regulations H and Y, 12 CFR parts 208 and 225 as follows:

PART 208—MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL RESERVE SYSTEM (REGULATION H)

1. The authority citation for part 208 continues to read as follows:

Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 371d, 461, 481-486, 601, 611, 1814, 1816, 1818, 1820(d)(9), 1823(j), 1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 1835a, 1882, 2901-2907, 3105, 3310, 3331-3351, 3905-3909, and 5371; 15 U.S.C. 78b, 78I(b), 78l(i), 780-4(c)(5), 78q, 78q-1, and 78w, 1681s, 1681w, 6801, and 6805; 31 U.S.C. 5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106 and 4128.

2. Amend Appendix D-2 to part 208, as follows:

a. In section I.C.2.d., remove “§ 216.3(h)” and add in its place “§ 1016.3(i)”; and

b. In section I.C.2.e., remove “§ 216.3(n)” and add in its place “§ 1016.3(p).”

PART 225—BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL (REGULATION Y)

3. The authority citation for part 225 continues to read as follows:

Authority: 12 U.S.C. 1817(j)(13), 1818, 1828(o), 1831i, 1831p-1, 1843(c)(8), 1844(b), 1972(1), 3106, 3108, 3310, 3331-3351, 3907, and 3909; 15 U.S.C. 1681s, 1681w, 6801 and 6805.

4. Amend Appendix F to part 225, as follows:

a. In section I.C.2.b., remove “§ 216.3(h)” and add in its place “§ 1016.3(i)”; and

b. In section I.C.2.c., remove “§ 216.3(n)” and add in its place “§ 1016.3(p).”