Releasing Information; General Provisions; Accounting and Reporting Requirements; Reports of Accounts and Exposures, 77557-77563 [2013-30717]

Download as PDF 77557 Rules and Regulations Federal Register Vol. 78, No. 247 Tuesday, December 24, 2013 This section of the FEDERAL REGISTER contains regulatory documents having general applicability and legal effect, most of which are keyed to and codified in the Code of Federal Regulations, which is published under 50 titles pursuant to 44 U.S.C. 1510. The Code of Federal Regulations is sold by the Superintendent of Documents. Prices of new books are listed in the first FEDERAL REGISTER issue of each week. FOR FURTHER INFORMATION CONTACT: FARM CREDIT ADMINISTRATION 12 CFR Parts 602, 618, and 621 RIN 3052–AC76 Releasing Information; General Provisions; Accounting and Reporting Requirements; Reports of Accounts and Exposures Farm Credit Administration. ACTION: Final rule. AGENCY: The Farm Credit Administration (FCA, we, or our) issues this final rule to establish a regulatory framework for the reliable, timely, accurate, and complete reporting of Farm Credit System (System) accounts and exposures for examination activities and risk evaluation. The final rule specifies the reporting requirements and performance responsibilities, including, but not limited to, establishing uniform and standard data fields to be collected from all System institutions and a disciplined and secure delivery of information. The final rule authorizes a Reporting Entity (defined as the Federal Farm Credit Banks Funding Corporation (Funding Corporation) or an entity approved by FCA), to collect data from all banks and associations and serve as the central data repository manager. Additionally, the final rule requires all banks and associations to provide data to the Reporting Entity to facilitate the collection, enhancement, and reporting of data to FCA. DATES: Effective Date: This regulation will become effective 30 days after publication in the Federal Register during which either or both Houses of Congress are in session. We will publish a notice of effective date in the Federal Register. Compliance Date: All provisions of this regulation require compliance on the effective date, except the Reporting Entity’s requirements under § 621.15(b)(1) through (b)(6). We are sroberts on DSK5SPTVN1PROD with RULES SUMMARY: VerDate Mar<15>2010 15:58 Dec 23, 2013 Jkt 232001 delaying compliance with these requirements to allow for the development of and transition to the System’s central data repository. We will publish the compliance date for these requirements in the Federal Register. Susan Coleman, Senior Policy Analyst, Office of Regulatory Policy, Farm Credit Administration, McLean, VA 22102–5090, (703) 883–4491, TTY (703) 883–4056, or Jane Virga, Senior Counsel, Office of General Counsel, Farm Credit Administration, McLean, VA 22102– 5090, (703) 883–4020, TTY (703) 883– 4056. SUPPLEMENTARY INFORMATION: I. Objectives The objectives of this final rule are to: • Reaffirm FCA’s authority to collect data on System institution accounts and exposures for examination activities and risk evaluation; • Require all banks and associations to provide data on accounts and exposures to the Reporting Entity, for the purposes of reporting to FCA; and • Establish the authority for and responsibilities of the Reporting Entity to collect, store, manage, and extrapolate data on accounts and exposures for reporting to FCA. II. Background The Farm Credit Act of 1971, as amended (Act),1 in pertinent part, confers authority on FCA to examine and supervise the institutions of the System and authorizes FCA to issue regulations implementing the Act’s provisions.2 Our regulations, including this final rule, are intended to ensure the safe and sound operations of System institutions. In order to meet FCA’s responsibility to ensure the safety and soundness of System institutions, we must have reliable, timely, accurate, and complete information about each banks’ and associations’ assets and liabilities. Section 4.12(b)(5) of the Act confirms FCA’s authority to request information from a System institution for examination and supervision and the concurrent obligation of a System institution to provide FCA with access 1 Public Law 92–181, 85 Stat. 583 (1971), 12 U.S.C. 2001 et seq. 2 12 U.S.C. 2252(a)(8), (9), and (10). PO 00000 Frm 00001 Fmt 4700 Sfmt 4700 to the records of the System institution. This statute makes it clear that FCA must have access to all records of a System institution and provides that concealment or refusal to provide access to such records is the basis for the appointment of a receiver or conservator. In addition to that statutory authority, another section of the Act provides authority to FCA to require the production of System institution records. Section 5.9(4) of the Act provides FCA the power to require such reports as it deems necessary from System institutions.3 Additionally, section 5.22A of the Act and § 621.12(a) of FCA regulations require each System institution to prepare and file such reports of condition and performance as may be required by FCA. Further clarification is provided in § 621.12(b) of FCA regulations, which states that these reports of condition and performance must be filed four times a year and may include such additional reports as may be necessary to ensure timely, complete, and accurate monitoring and evaluation of the affairs, condition, and performance of System institutions as determined by the Chief Examiner. In addition, § 621.12(c) of FCA regulations requires all reports of condition and performance to be submitted electronically in accordance with the instructions prescribed by FCA. For over a decade, FCA has collected detailed asset reports through loan data extracts from System institutions to facilitate examination activities and risk evaluation, and shared this data with the Farm Credit System Insurance Corporation (FCSIC) on a confidential basis subject to an interagency agreement. The need for consistent, comprehensive, and comparable data across all System institutions has evolved, as the complexity and volume of assets has increased. The availability of quality and timely data on accounts and exposures, including any loan, lease, letter of credit, derivative, or, any other asset, liability, other balance sheet account, or off-balance-sheet exposure, has become critical to efficient and effective examination activities and risk evaluation. Accordingly, we continue to 3 Further, under section 5.17(a)(11) of the Act, FCA may ‘‘[e]xercise such incidental powers as may be necessary or appropriate to fulfill its duties and carry out the purposes of {the} Act.’’ E:\FR\FM\24DER1.SGM 24DER1 sroberts on DSK5SPTVN1PROD with RULES 77558 Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / Rules and Regulations work with the System to collect more comprehensive data submissions and enhance the reporting to facilitate the evaluation of changing lending risks and conditions. An integral component of FCA’s and FCSIC’s ability to quickly and accurately identify and respond to risk is the collection of data on, and identification of, shared assets. Shared assets are any account or exposure where two or more System institutions have assumed a portion of the asset’s benefits or risks. On October 3, 2012, the FCA Board approved Bookletter BL– 065, which describes FCA’s expectations that each System institution and its board of directors establish and implement an automated mechanism to consistently identify shared asset exposures. Bookletter BL– 065 continues to contain pertinent guidance for System institutions. After the central data repository is completed by the Reporting Entity, including the implementation of an automated mechanism to accurately identify the System’s shared asset exposures, FCA will evaluate whether to rescind Bookletter BL–065. In addition to other objectives, and in order to facilitate the identification of shared asset exposures and enable System risk assessment, System banks and associations are working with the Funding Corporation to create a central data repository to collect and store data from all System banks and associations, establish an automated mechanism to timely and accurately identify the System’s shared asset exposures, and report Systemwide accounts and exposures on behalf of the System banks and associations to FCA. The Funding Corporation, in coordination with the banks and associations, is in the process of developing and deploying the central data repository and plans to assume the role of the Reporting Entity for the banks’ and associations’ reports of accounts and exposures by yearend 2014. We believe the final rule provides a uniform system and process for the reporting of accounts and exposures. The final rule reaffirms FCA’s authority to collect data from the System and communicates the authority for, and responsibilities of, the Reporting Entity to collect data on behalf of the System banks and associations for delivery to FCA. The final rule also confirms FCA’s authority to share examination reports or other information on System institutions prepared or held by FCA with FCSIC, subject to appropriate security and controls. The final rule requires the banks, associations, and Reporting Entity to VerDate Mar<15>2010 15:58 Dec 23, 2013 Jkt 232001 establish a system of internal controls over the data. Additionally, the banks and associations must establish a data governance structure with the Reporting Entity to document the responsibilities and accountabilities for the conveyance, storage, and uses of the information stored in the central data repository. This data governance structure should establish agreement among the banks, associations, and Reporting Entity and must be in place prior to the first transfer of data to the Reporting Entity. During the System’s data repository development phase, the banks and associations will continue to prepare and submit the reports of accounts and exposures to FCA in accordance with the instructions prescribed by FCA under § 621.15(a) of this final rule. Upon satisfactory demonstration by the Reporting Entity of the ability to prepare reliable, timely, complete and accurate reporting of accounts and exposures, FCA will accept report(s) of all banks’ and associations’ accounts and exposures from the Reporting Entity, acting on behalf of the banks and associations. FCA will establish a delayed compliance date for the Reporting Entity’s responsibilities under § 621.15(b)(1) through (b)(6) during the data repository development phase. FCA understands that the development of the central data repository is a necessary precursor to the automated identification and reporting of shared exposures. However, FCA expects timely implementation of the System’s mechanism to identify shared asset exposures as required in § 621.15(b)(3) once the data repository is complete. Since the identification of shared asset and customer exposures at the System level through an automated mechanism is not yet implemented, we will establish a delayed compliance date as previously discussed. The System’s ultimate success of implementing a process for reporting shared exposures is dependent upon the cooperation and collaboration of the banks, associations, and Reporting Entity. We also understand that identification, management, and control of shared assets will primarily rest at the bank and association level and will be reported by the banks and associations in their quarterly reports. However, the responsibility of accumulating the shared assets to the shared customer level will primarily rest with the Reporting Entity. As such, the Reporting Entity is not only a conduit to submit the banks and associations reports of accounts and exposures, but is also necessary to establish and report accurate System shared exposures. Due to this interdependency, we expect PO 00000 Frm 00002 Fmt 4700 Sfmt 4700 continual and thorough collaboration and cooperation to ensure the mechanism to identify shared exposures is timely, accurate and complete. The data dictionary and instructions will specify the various components of the shared asset identifiers such as the shared asset number, the shared customer number and the System customer lead. FCA will continue to collaborate with the System on the specifics for identifying shared exposures through the data dictionary and instructions published on the FCA Web site. The final regulation requires the Reporting Entity to notify FCA immediately in writing of the following events: (1) If there is a breach of information; (2) if there is a request for data from the reports of accounts and exposures from non-System entities; or, (3) if it is unable to prepare and submit the report(s) of accounts and exposures in compliance with the regulation. Additionally, in the event of a breach of information, the Reporting Entity must provide immediate written notice of the breach to each bank and association concerned. The Reporting Entity may request that the banks and associations appoint a replacement Reporting Entity to assume the authorities and reporting obligations of the Reporting Entity. Additionally, the banks and associations at their discretion, and with the approval of the FCA, may elect to select a replacement Reporting Entity to assume the authorities and reporting obligations of the Reporting Entity. The proposed rule, which was published for public comment for 30 days, generated five comment letters, four of which were generally supportive. One comment letter opposed the proposed regulation in its entirety. After considering the comments, we now finalize the proposed provisions as discussed below. III. Discussion of Comment Letters and Section-by-Section Analysis of Final Rule The five comment letters we received came from one Farm Credit Bank (AgriBank, FCB); three System agricultural credit associations (Farm Credit East, ACA, Greenstone Farm Credit Services, ACA, and River Valley AgCredit, ACA); and the Farm Credit Council (Council) acting on behalf of its membership. These letters contained a number of constructive comments that resulted in changes to a number of provisions in the proposed rule. E:\FR\FM\24DER1.SGM 24DER1 Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / Rules and Regulations sroberts on DSK5SPTVN1PROD with RULES General Issues Four commenters support our efforts to set up a regulatory framework, but ask that we continue to cooperate with System institutions regarding changes to data submission requirements so that an appropriate balance remains between the need to evaluate changing lending risks and the cost of regulatory burden to the System. The concept of a central data repository has been a collaborative and cooperative approach between the System and FCA to ensure all parties’ needs are adequately met and addressed. We intend to continue to collaborate and to provide the banks, associations, and Reporting Entity with ample opportunity to provide input on any anticipated changes to the data submission requirements or instructions. In our response below to comments on certain provisions of the proposed rule, we have made some changes to further clarify our intended process for changes to data submission requirements and to limit the regulatory burden on the System. The commenter that opposed the rule in its entirety was concerned with sending confidential borrower information to the Reporting Entity. We understand and share this concern and believe we have included requirements in the regulation to address it. Specifically, the final rule requires the Reporting Entity to develop and implement an effective system of internal controls over the central data repository to ensure the confidentiality of borrower information. In addition, we expect the banks and associations to establish a data governance structure that documents agreement among the banks, associations, and Reporting Entity on the responsibilities and accountabilities for information stored in the central data repository. Finally, we also require the immediate reporting of any breach of information to FCA and each bank and association concerned. This commenter is also concerned with the increased cost due to the regulation. We believe that the availability of quality and timely data on accounts and exposures is paramount to efficient and effective examination activities and risk evaluation, as well as the System’s own risk-management practices. We believe that establishing a central data repository, including an automated mechanism to accurately identify shared asset exposures, is a prudent expense that provides both FCA and the System (including this commenter) with the ability to timely evaluate risks and conditions, and respond appropriately. 1. Authority To Promulgate the Regulation FCA cited section 5.22A of the Act as the basis to require a System institution to submit loan data. A commenter questioned whether section 5.22A was the proper authority to promulgate this regulation. Although the commenter acknowledged FCA’s inherent authority to access System institution accounts and exposure data for examination activities and support the overall process outlined in the proposed regulation, the commenter was concerned that we cited an incorrect authority for the collection of the data. The commenter stated that the proposed rule provides a consolidated and efficient approach for submitting data from the System to FCA. However, the commenter stated that it is a ‘‘stretch’’ to call the submission of loan and other similar data at the record level a uniform financial report as contemplated in section 5.22A of the Act. The commenter asserts that financial reporting means balance sheet, income statements, and related supporting schedules, even though FCA has the authority to interpret the statute. Section 5.22A of the Act requires System institutions to comply with FCA’s uniform financial reporting instructions. Section 5.22A was cited in Bookletter BL–065, which was the genesis for the proposed regulation. The Bookletter provides FCA’s expectations for System institutions to establish and implement an automated mechanism to identify and report shared asset exposures. Section 5.22A of the Act provides, in pertinent part, that each System institution shall comply with uniform financial reporting instructions required by the Farm Credit Administration to standardize and facilitate the reporting of System data. The commenter suggests section 4.12(b)(5) of the Act as authority for the regulation. Although we continue to believe that section 5.22A of the Act authorizes the regulation, we have included section 4.12(b)(5) as additional authority. Section 4.12(b)(5) of the Act provides that the FCA Board may appoint a conservator or receiver for any System institution that does not provide FCA with access to the ‘‘books, papers, records, or assets of the institution. Including this additional authority source should provide the balance that the commenter desired and reassurance concerning the types of information retained by System institutions. Also, as a technical matter, we added section 5.22A of the Act as authority for this regulation. We had included a discussion of this section in the VerDate Mar<15>2010 15:58 Dec 23, 2013 Jkt 232001 PO 00000 Frm 00003 Fmt 4700 Sfmt 4700 77559 preamble to the proposed rule but inadvertently omitted it from the authority citations. 2. Notice and Comment on Instructions The proposed regulation provides that the banks and associations submit the reports of accounts and exposures in accordance with the instructions provided by FCA. The Council recommended that the rule be revised to provide for notice and comment when FCA changes any of its instructions on the reports of accounts and exposures. The Council asserts that the Administrative Procedure Act, 5 U.S.C. 553 (APA), requires that new instructions be subject to the notice and comment requirements. Another commenter asserted that the open-ended nature of the information collection process in the instructions is inappropriate in that it lacks balance and could be burdensome. As discussed below, we believe that the APA does not require notice and comment on the instructions for the submission of the accounts and exposure data and that the instructions will be appropriate. The APA establishes, in pertinent part, that an agency must publish a proposed rule for notice and comment. By definition, a rule is an agency statement of general or particular applicability. A rule does not include an agency’s ‘‘housekeeping provisions.’’ We do not believe that the instructions for the submission of accounts and exposures data are a regulation. The instructions are not an agency statement of general or particular applicability. Rather, we believe that the instructions are procedural on their face and do not change substantive standards for the submission of the data by the System institutions. The instructions do not alter the rights or interests of the System institutions, although the instructions may alter the information and how it is provided to FCA. A procedural rule does not become a substantive one for notice and comment purposes simply because it arguably imposes a ‘‘burden’’ on the System. We do, however, intend to continue to engage in comprehensive collaboration and communication with the banks, associations, and Reporting Entity. We will provide all parties with sufficient time to review any proposed changes to the data dictionary and instructions and respond to us with any concerns, including the appropriateness of the data requirements and any burden. In the future, FCA may amend the instructions, including the data dictionary, as the System and FCA continue to assess data needs. FCA intends to initiate an annual E:\FR\FM\24DER1.SGM 24DER1 77560 Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / Rules and Regulations sroberts on DSK5SPTVN1PROD with RULES collaborative review of the data dictionary and corresponding instructions and provide any details on recommended changes to all parties in order to receive their comments and input prior to initiating any changes. This will ensure the System has the opportunity to provide adequate input to changes in the data submission requirements and in developing instructions on System data collection and storage. FCA plans to inform System institutions of proposed changes to the instructions and allow System institutions ample time to respond to any changes on the content of information to be provided or on the appropriate method of delivering information to the Reporting Entity or FCA. We believe that this process provides adequate balance to ensure that the information collected is appropriate for examination activities and risk analysis. However, exigent circumstances could mandate more frequent changes to the instructions, with or without System input. The process we have discussed is consistent with the existing process for issuing instructions for providing ‘‘Uniform Call Reports.’’ We continue to believe, as first stated in Bookletter BL– 065 that ‘‘[c]ollaboration by the System will improve the mechanisms and disciplines necessary to effectively assess and report shared-asset risks in a timely, complete and accurate manner.’’ We have confidence that this approach balances the needs of FCA to collect uniform and standardized data for examination and risk analysis with the needs of System institutions to collect the data needed and used for business or risk management purposes. Additionally, to clarify an additional comment on this topic, FCA’s instructions on the data submission requirements apply uniformly to all banks and associations. 3. Effective Date Several of the commenters requested that we carefully consider the effective date of this regulation to ensure the System institutions have sufficient time to comply with the requirements. This regulation will become effective 30 days after publication in the Federal Register during which either or both Houses of Congress are in session. FCA will establish a delayed compliance date for the Reporting Entity’s requirements under § 621.15(b)(1) through (b)(6) of the rule to allow for the development of and transition to the System’s central data repository. Accordingly, the compliance date for § 621.15(b)(1) through (b)(6) requirements will be published separately in the Federal VerDate Mar<15>2010 15:58 Dec 23, 2013 Jkt 232001 Register. All other sections and requirements of the regulation require compliance on the effective date of the regulation. As discussed in the preamble, we expect the banks and associations to continue preparing and submitting the reports of accounts and exposures to FCA under the current established data dictionary and instructions prescribed by FCA. This current submission of data will continue until such time as the Reporting Entity completes the development and implementation of the central data repository and satisfactorily demonstrates the ability to prepare and deliver to FCA reliable, timely, complete and accurate reporting of accounts and exposures, including the identification of shared asset exposures. When this occurs, FCA will accept report(s) of all banks’ and associations’ accounts and exposures from the Reporting Entity, acting on behalf of the banks and associations. FCA understands that the identification of shared asset and customer exposures at the System level is not yet implemented and therefore, as stated previously, a delayed compliance date will be established for these requirements of the rule. Specific Issues 1. Sharing Data on Third-Party Systems or With Contractors [new § 602.2(c)] The proposed rule would establish a confidentiality and data security agreement requirement between FCA and FCSIC when accounts and exposures data is shared between the two agencies.4 The Council and another commenter stated they were extremely concerned over: (1) The security of FCA or FCSIC storing accounts and exposures data on third-party systems; and (2) FCSIC providing the data to third-party contractors or vendors. They recommended we update the regulatory language to ensure that FCSIC cannot release the data to a vendor or any other third party and that the data must 4 Section 5.59(a)(5) of the Act provides that FCSIC, to the extent practicable, shall use the personnel and resources of FCA to minimize duplication of effort and to reduce costs. Under section 5.59(b), if the FCSIC Board considers it necessary to examine an insured System bank or a System association or any System institution in receivership, it may use FCA examiners to conduct the examination using reports and other information on the System institution prepared or held by FCA. If the FCSIC Board determines that such reports or information are not adequate to enable FCSIC to carry out the duties of FCSIC under section 5.59(b), it may request FCA to examine or to obtain other information from or about the System institution and provide FCSIC the resulting examination report or such other information. See also section 5.19(d) of the Act. PO 00000 Frm 00004 Fmt 4700 Sfmt 4700 remain on FCA or FCSIC systems at all times. We understand and share the commenters’ concerns with data security. However, we believe that the § 602.2(c) requirement for a confidentiality and data security agreement between FCA and FCSIC adequately ensures the integrity, confidentiality, and security of the data. Safeguarding borrower information is of paramount importance to the System and FCA. As to the comment concerning providing access to contractors, the interagency agreement between FCA and FCSIC governs and protects borrower data in any form and includes restrictions on sharing the data with contractors. These safeguards are appropriate for this type of data and provide FCA and FCISC the necessary access to the information while protecting it from unauthorized access and use. We also note that pursuant to Federal statute, FCA does not waive any privilege by sharing information with FCSIC. See 12 U.S.C. 1821(t). 2. Bank and Association Certification Requirement [new § 621.15(a)(2)] The proposed rule would require each bank and association to provide a written certification that the data submitted ‘‘has been prepared in accordance with all applicable regulations and instructions, and is a true and accurate record of the data maintained in the bank’s or association’s database, to the best of its knowledge and belief.’’ The Council and other commenters suggested revising the certification requirement of the banks and associations to avoid the possible interpretation that FCA is prescribing what data a System institution maintains in its database. The Council asked for clarification that the term ‘‘complete’’ apply only to data that a bank and association has available electronically. In addition, one commenter stated that they are unable to certify that all of the actual information in their records, regarding any particular borrower, is fully accurate at any point in time because it is borrower provided. In order to address these concerns, we have modified the language in the final rule as requested to require that System institutions certify that their submissions are a ‘‘true and accurate record of the data maintained by the bank or association, to the best of its knowledge and belief.’’ Furthermore, we intended that each bank’s and association’s certification apply to the data submitted in its report(s) of E:\FR\FM\24DER1.SGM 24DER1 Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / Rules and Regulations accounts and exposures and available in its databases. sroberts on DSK5SPTVN1PROD with RULES 3. Reporting Entity Certification Requirement [new § 621.15(b)(4)] The proposed rule provides, in pertinent part, that the Reporting Entity must certify ‘‘that the information provided in the report of each bank’s and association’s accounts and exposures has been prepared in accordance with all applicable regulations and instructions and accurately represents the information provided to it by the banks and associations.’’ The Council suggested revising the Reporting Entity’s certification requirement. It believes the certification by the banks and associations is sufficient to ensure that the information in the report complies with the instructions. While we agree that the Reporting Entity does not need to certify that the banks and associations have complied with the instructions, the Reporting Entity is responsible for certifying its compliance with the instructions, particularly as they relate to the establishment and implementation of an automated mechanism to identify shared asset exposures. To address these comments, we have modified the language in the final rule to clarify that the Reporting Entity needs to certify that the report accurately represents the information provided to it by the banks and associations and that the Reporting Entity has complied with the requirements of § 621.15(b). 4. Reporting Entity Notification if Unable To Prepare and Submit Report [new § 621.15(b)(6)] The proposed rule provides, in pertinent part, that the Reporting Entity must ‘‘[n]otify the Farm Credit Administration if it is unable to prepare and submit the quarterly report of accounts and exposures in compliance with the requirements of this section.’’ The Council requests that this provision be deleted. It believes that it is inappropriate to require the Reporting Entity to notify FCA when an individual institution fails to comply with the data submission requirements. FCA did not intend to hold the Reporting Entity responsible for notifying FCA of institution compliance or noncompliance with reporting responsibilities. Rather, FCA wants to be notified if the Reporting Entity is unable to submit the quarterly report to FCA for any reason, such as technical difficulties or if the accounts and exposures report to FCA from the Reporting Entity does not contain all VerDate Mar<15>2010 15:58 Dec 23, 2013 Jkt 232001 banks’ and associations’ reports. In order to address the Council’s concern, we have modified the language in the final rule to clarify that the Reporting Entity needs to notify FCA if it is unable to submit the quarterly report in compliance with the Reporting Entity’s responsibilities as set forth in § 621.15(b)(1) through (b)(3). 5. Information Breach [new § 621.15(b)(7)] The proposed rule provides, in pertinent part, that the Reporting Entity would be required to immediately notify FCA and each concerned bank and association if there is a breach of information. Each bank and association would then determine whether any notice of the breach to any of its borrowers was required under applicable laws and regulations. The bank and association would be responsible for providing such notification to its borrowers. We defined ‘‘breach of information’’ to mean ‘‘unauthorized acquisition of or access to the central data repository, any quarterly reports of accounts and exposures or any other information received pursuant to § 621.15(a)(1).’’ Commenters raised several issues regarding these proposed requirements. They were concerned with the Reporting Entity providing written notice ‘‘immediately’’ to FCA and each bank and association concerned, if there is an information breach. Commenters asked that the term ‘‘immediately’’ be revised to allow a greater time to report, such as 3 business days. Also, commenters requested that we delete the language in § 621.15(b)(7)(ii) that the concerned bank and association determine whether any notice of the breach to any of its borrowers is required under applicable laws and regulations and, if so, that they are responsible for providing such notification. Commenters believe the language is not needed because the banks and associations are already required to comply with applicable laws and regulations. The commenters also requested that FCA clarify that the definition of ‘‘breach’’ refers only to situations in which data has been actually accessed by an unauthorized person. FCA does not believe it appropriate to allow more time to report a security breach. FCA continues to believe that the report must be made ‘‘immediately’’ because the extreme sensitivity of the data maintained in the central data repository makes it urgent to communicate an information breach. The term ‘‘immediately’’ in this context means without delay or at once. As to PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 77561 the deletion of the language in § 621.15(b)(7)(ii), we agree with the comment and have not included the specific language in this provision of the final rule. As noted in the proposed rule, the Reporting Entity is only responsible for notifying FCA and the bank and association concerned of any information breach. The bank or association concerned must comply with applicable laws and regulations regarding information security and should consider and follow best practices. Finally, in order to address the concern about the definition of ‘‘breach,’’ we have modified § 621.15(b)(7)(iii). In doing so, we do not believe ‘‘breach’’ should be limited to the occasion where data has actually been accessed by an unauthorized person. Instead, the modified definition is intended to capture attempts by unauthorized persons to access data and unauthorized possession of data. IV. Regulatory Flexibility Act Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), FCA hereby certifies that the final rule would not have a significant economic impact on a substantial number of small entities. Each of the banks in the Farm Credit System, considered together with its affiliated associations, has assets and annual income in excess of the amounts that would qualify them as small entities. Therefore, Farm Credit System institutions are not ‘‘small entities’’ as defined in the Regulatory Flexibility Act. List of Subjects 12 CFR Part 602 Courts, Freedom of information, Government employees. 12 CFR Part 618 Agriculture, Archives and records, Banks, banking, Insurance, Reporting and recordkeeping requirements, Rural areas, Technical assistance. 12 CFR Part 621 Accounting, Agriculture, Banks, banking, Penalties, Reporting and recordkeeping requirements, Rural areas. For the reasons stated in the preamble, parts 602, 618 and 621 of chapter VI, title 12 of the Code of Federal Regulations, are amended as follows: E:\FR\FM\24DER1.SGM 24DER1 77562 Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / Rules and Regulations ■ Authority: Secs. 5.9, 5.17, 5.59 of the Farm Credit Act (12 U.S.C. 2243, 2252, 2277a-8); 5 U.S.C 301, 552; 12 U.S.C. 1821(t); 52 FR 10012; E.O. 12600; 52 FR 23781, 3 CFR 1987, p. 235. from its lists of borrowers and stockholders to the Reporting Entity as defined in § 621.2 of this chapter. ■ 6. Section 618.8320 is amended by adding a new paragraph (b)(10) to read as follows: § 618.8320 Data regarding borrowers and loan applicants. PART 602—RELEASING INFORMATION 1. The authority citation for part 602 is revised to read as follows: 2. Section 602.2 is amended by: a. Revising the heading; b. Redesignating existing paragraph (c) as paragraph (d); and ■ c. Adding new paragraph (c) to read as follows: ■ ■ ■ § 602.2 Disclosing reports of examination and other non-public information. * * * * * (c) Disclosure to the Farm Credit System Insurance Corporation. Without waiving any privilege or limiting any of the requirements of section 5.59 of the Farm Credit Act of 1971, as amended, we may disclose reports of examination and other examination and non-public information, including data from reports of System accounts and exposures received pursuant to § 621.15 of this chapter, to the Farm Credit System Insurance Corporation pursuant to confidentiality and data security agreements executed between the agencies. * * * * * PART 618—GENERAL PROVISIONS 3. The authority citation for part 618 continues to read as follows: ■ Authority: Secs. 1.5, 1.11, 1.12, 2.2, 2.4, 2.5, 2.12, 3.1, 3.7, 4.12, 4.13A, 4.25, 4.29, 5.9, 5.10, 5.17, of the Farm Credit Act (12 U.S.C. 2013, 2019, 2020, 2073, 2075, 2076, 2093, 2122, 2128, 2183, 2200, 2211, 2218, 2243, 2244, 2252. § 618.8300 [Amended] 4. Section 618.8300 is amended by removing the words ‘‘as authorized in the following paragraphs’’ and adding in their place, the words ‘‘as authorized by Farm Credit Administration regulations (§§ 618.8300 through 618.8330)’’. ■ 5. Section 618.8310 is amended by adding a new paragraph (c) to read as follows: ■ § 618.8310 Lists of borrowers and stockholders. sroberts on DSK5SPTVN1PROD with RULES * * * * * (c) In connection with preparing and submitting an electronic report of all System accounts and exposures to the Farm Credit Administration in accordance with the requirements of § 621.15 of this chapter, each bank and association may provide information VerDate Mar<15>2010 15:58 Dec 23, 2013 Jkt 232001 * * * * * (b) * * * (10) In connection with preparing and submitting an electronic report of all System accounts and exposures to the Farm Credit Administration in accordance with the requirements of § 621.15 of this chapter, each bank and association may provide data on its accounts and exposures to the Reporting Entity as defined in § 621.2 of this chapter. * * * * * PART 621—ACCOUNTING AND REPORTING REQUIREMENTS 7. The authority citation for part 621 is revised to read as follows: ■ Authority: Secs. 4.12(b)(5), 5.17, 5.22A, 8.11 of the Farm Credit Act (12 U.S.C. 2183, 2252, 2257a, 2279aa-11); sec. 514 of Pub. L. 102–552. 8. Section 621.2 is amended by: a. Redesignating paragraph (a) as paragraph (b), paragraph (b) as paragraph (d), and paragraphs (c) through (i) as paragraphs (f) through (l), respectively; and ■ b. Adding new paragraphs (a), (c), (e), (m) and (n) to read as follows: ■ ■ § 621.2 Definitions. (a) Accounts and exposures means data related to any loan, lease, letter of credit, derivative, or, any other asset, liability, other balance sheet account, or off-balance-sheet exposure of a System institution. * * * * * (c) Banks and associations mean all Farm Credit Banks, Agricultural credit banks, and associations. * * * * * (e) Central data repository means a central data warehouse that electronically collects and stores current and historical data and is created by integrating data from one or more disparate sources. * * * * * (m) Reporting entity means the Federal Farm Credit Banks Funding Corporation, or other entity approved by the Farm Credit Administration. (n) Shared asset means any account or exposure where two or more Farm Credit institutions have assumed a portion of the asset’s benefits or risks. PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 An institution’s share in the asset may be established through means such as syndications, participation agreements, assignments, or other arrangements with System entities. ■ 9. Revise the heading of subpart D to read as follows: Subpart D–-Reports of Condition and Performance and Accounts and Exposures 10. Section 621.12 is amended by revising the heading to read as follows: ■ § 621.12 Reports of condition and performance. * * * * * 11. Add a new § 621.15 to subpart D to read as follows: ■ § 621.15 Reports of accounts and exposures. (a) Responsibilities of banks and associations for preparing and submitting reports. The banks and associations must prepare and submit an accurate and complete report of all bank and association accounts and exposures electronically to the Farm Credit Administration pursuant to the requirements of this part. In order to accomplish such submission, each bank and association must: (1) Prepare and submit an accurate and complete report of its accounts and exposures electronically to the Reporting Entity: (i) In accordance with the instructions prescribed by the Farm Credit Administration, or as may be required by the Farm Credit Administration; and (ii) Within 20 calendar days after each quarter-end date, and at such other times as the Farm Credit Administration may require. (2) Submit to the Farm Credit Administration and the Reporting Entity a written certification that the information provided in the report of accounts and exposures has been prepared in accordance with all applicable regulations and instructions, and is a true and accurate record of the data maintained by the bank or association, to the best of its knowledge and belief. The reports shall be certified by the officer of the reporting bank or association named for that purpose by action of the reporting bank’s or association’s board of directors. If the board of directors of the bank or association has not acted to name an officer to certify to the accuracy of its reports of accounts and exposures, then the reports shall be certified by the president or chief executive officer of the reporting bank or association. In the event the bank or association learns of E:\FR\FM\24DER1.SGM 24DER1 sroberts on DSK5SPTVN1PROD with RULES Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / Rules and Regulations a material error or misstatement in the information submitted to the Reporting Entity, it must notify the Reporting Entity and the Farm Credit Administration immediately of the error or misstatement and prepare and submit corrected information as soon as practicable. (3) Respond promptly to any questions by the Reporting Entity related to information provided under this section in connection with the preparation of a report of accounts and exposures, including any data required to establish, implement and maintain consistent, accurate, and complete shared asset identification and reporting of shared asset exposures to the Farm Credit Administration. (4) Develop, implement, and maintain an effective system of internal controls over the data included in the report of accounts and exposures, including controls for maintaining the confidentiality of borrower information. The system of internal controls, at a minimum, must comply with the requirements of applicable Farm Credit Administration regulations, including § 618.8430 of this chapter. (b) Responsibilities of the Reporting Entity for preparing and submitting reports. The Reporting Entity must: (1) Collect, store, and manage the information submitted to it by each bank and association under the requirements of this section in a central data repository in accordance with Farm Credit Administration regulations and prescribed instructions. (2) Prepare and submit an electronic quarterly report of the accounts and exposures of all banks and associations to the Farm Credit Administration in accordance with the instructions prescribed by the Farm Credit Administration or as may be required by the Farm Credit Administration. (3) Establish, implement, and maintain an automated mechanism to ensure the reliable, timely, accurate and consistent identification of the banks’ and associations’ shared asset exposures, and report these exposures and the shared asset identifiers in the electronic quarterly report of accounts and exposures to the Farm Credit Administration. In connection with establishing and implementing the automated shared asset identification mechanism, the Reporting Entity may provide the banks and associations information from the central data repository to identify and report shared asset exposures. (4) Submit to the Farm Credit Administration a written certification that the information provided to the Farm Credit Administration in the VerDate Mar<15>2010 17:02 Dec 23, 2013 Jkt 232001 report of accounts and exposures of all banks and associations accurately represents the information provided to it by the banks and associations and that the Reporting Entity has complied with the requirements of § 621.15(b). The reports shall be certified by the president or chief executive officer of the Reporting Entity. In the event the Reporting Entity learns of a material error or misstatement in the information submitted to the Farm Credit Administration, it must notify the Farm Credit Administration immediately of the error or misstatement and prepare and submit corrected information as soon as practicable. (5) Develop, implement, and maintain an effective system of internal controls over the central data repository, including controls for maintaining the confidentiality of borrower information. The system of internal controls, at a minimum, must comply with the requirements of applicable Farm Credit Administration regulations, including § 618.8430 of this chapter and require that the Reporting Entity: (i) Develop policies and procedures to ensure that the information submitted in the report of accounts and exposures to the Farm Credit Administration is complete and consistent with the information submitted to the Reporting Entity from the banks and associations under § 621.15(a); and (ii) Specify procedures for monitoring any material corrections or adjustments, in a timely manner, and provide timely notification and resubmission of the report of accounts and exposures to the Farm Credit Administration. (6) Notify the Farm Credit Administration if it is unable to prepare and submit the quarterly report of accounts and exposures in compliance with the requirements of § 621.15(b)(1) through (b)(3). The notification: (i) Must be signed by the chief executive officer, or person in an equivalent position, and submitted to the Farm Credit Administration as soon as the Reporting Entity becomes aware of its inability to comply; (ii) Must explain the reasons for its inability to prepare and submit the report; and (iii) May include a request that the Farm Credit Administration extend the due date for the quarterly report of accounts and exposures. (7) In the event there is a breach of information, immediately provide written notice of the breach to: (i) The Farm Credit Administration; and (ii) Each bank and association concerned; PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 77563 (iii) For the purposes of this section, ‘‘breach of information’’ means any actual or attempted unauthorized access, possession, use, disclosure, disruption, modification, or destruction of information in the central data repository, any reports of accounts and exposures, or any other information received pursuant to § 621.15(a)(1). (8) Notify the Farm Credit Administration in writing of any request for data contained in the reports of accounts and exposures that are not explicitly allowed for in § 618.8320(b) of this chapter. Dated: December 18, 2013. Dale L. Aultman, Secretary, Farm Credit Administration Board. [FR Doc. 2013–30717 Filed 12–23–13; 8:45 am] BILLING CODE 6705–01–P NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Parts 700, 701, and 704 RIN 3133–AE33 Technical Amendments National Credit Union Administration (NCUA). ACTION: Final rule. AGENCY: The NCUA Board (Board) is making technical amendments to NCUA’s regulations regarding the rating system for corporate credit unions. The technical amendments conform the regulations to a recent policy change adopted by the Board. Specifically, the policy change eliminates the use of the Corporate Risk Information System (CRIS) for corporate credit unions and replaces it with the CAMEL rating system. The technical amendments merely update the regulations to reflect the conversion from the CRIS to the CAMEL rating system for corporate credit unions. DATES: The final rule is effective on January 1, 2014. FOR FURTHER INFORMATION CONTACT: Lisa Henderson, Staff Attorney, Office of General Counsel, at 1775 Duke Street, Alexandria, VA 22314 or telephone: (703) 518–6540. SUPPLEMENTARY INFORMATION: SUMMARY: I. Background and Purpose of the Final Rule II. Regulatory Procedures I. Background and Purpose of the Final Rule Why is the NCUA Board issuing this rule? In September 2013, the Board adopted a policy change which converted the E:\FR\FM\24DER1.SGM 24DER1

Agencies

[Federal Register Volume 78, Number 247 (Tuesday, December 24, 2013)]
[Rules and Regulations]
[Pages 77557-77563]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-30717]



========================================================================
Rules and Regulations
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains regulatory documents 
having general applicability and legal effect, most of which are keyed 
to and codified in the Code of Federal Regulations, which is published 
under 50 titles pursuant to 44 U.S.C. 1510.

The Code of Federal Regulations is sold by the Superintendent of Documents. 
Prices of new books are listed in the first FEDERAL REGISTER issue of each 
week.

========================================================================


Federal Register / Vol. 78, No. 247 / Tuesday, December 24, 2013 / 
Rules and Regulations

[[Page 77557]]



FARM CREDIT ADMINISTRATION

12 CFR Parts 602, 618, and 621

RIN 3052-AC76


Releasing Information; General Provisions; Accounting and 
Reporting Requirements; Reports of Accounts and Exposures

AGENCY: Farm Credit Administration.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Farm Credit Administration (FCA, we, or our) issues this 
final rule to establish a regulatory framework for the reliable, 
timely, accurate, and complete reporting of Farm Credit System (System) 
accounts and exposures for examination activities and risk evaluation. 
The final rule specifies the reporting requirements and performance 
responsibilities, including, but not limited to, establishing uniform 
and standard data fields to be collected from all System institutions 
and a disciplined and secure delivery of information. The final rule 
authorizes a Reporting Entity (defined as the Federal Farm Credit Banks 
Funding Corporation (Funding Corporation) or an entity approved by 
FCA), to collect data from all banks and associations and serve as the 
central data repository manager. Additionally, the final rule requires 
all banks and associations to provide data to the Reporting Entity to 
facilitate the collection, enhancement, and reporting of data to FCA.

DATES: Effective Date: This regulation will become effective 30 days 
after publication in the Federal Register during which either or both 
Houses of Congress are in session. We will publish a notice of 
effective date in the Federal Register.
    Compliance Date: All provisions of this regulation require 
compliance on the effective date, except the Reporting Entity's 
requirements under Sec.  621.15(b)(1) through (b)(6). We are delaying 
compliance with these requirements to allow for the development of and 
transition to the System's central data repository. We will publish the 
compliance date for these requirements in the Federal Register.

FOR FURTHER INFORMATION CONTACT:
Susan Coleman, Senior Policy Analyst, Office of Regulatory Policy, Farm 
Credit Administration, McLean, VA 22102-5090, (703) 883-4491, TTY (703) 
883-4056, or
Jane Virga, Senior Counsel, Office of General Counsel, Farm Credit 
Administration, McLean, VA 22102-5090, (703) 883-4020, TTY (703) 883-
4056.

SUPPLEMENTARY INFORMATION:

I. Objectives

    The objectives of this final rule are to:
     Reaffirm FCA's authority to collect data on System 
institution accounts and exposures for examination activities and risk 
evaluation;
     Require all banks and associations to provide data on 
accounts and exposures to the Reporting Entity, for the purposes of 
reporting to FCA; and
     Establish the authority for and responsibilities of the 
Reporting Entity to collect, store, manage, and extrapolate data on 
accounts and exposures for reporting to FCA.

II. Background

    The Farm Credit Act of 1971, as amended (Act),\1\ in pertinent 
part, confers authority on FCA to examine and supervise the 
institutions of the System and authorizes FCA to issue regulations 
implementing the Act's provisions.\2\ Our regulations, including this 
final rule, are intended to ensure the safe and sound operations of 
System institutions. In order to meet FCA's responsibility to ensure 
the safety and soundness of System institutions, we must have reliable, 
timely, accurate, and complete information about each banks' and 
associations' assets and liabilities.
---------------------------------------------------------------------------

    \1\ Public Law 92-181, 85 Stat. 583 (1971), 12 U.S.C. 2001 et 
seq.
    \2\ 12 U.S.C. 2252(a)(8), (9), and (10).
---------------------------------------------------------------------------

    Section 4.12(b)(5) of the Act confirms FCA's authority to request 
information from a System institution for examination and supervision 
and the concurrent obligation of a System institution to provide FCA 
with access to the records of the System institution. This statute 
makes it clear that FCA must have access to all records of a System 
institution and provides that concealment or refusal to provide access 
to such records is the basis for the appointment of a receiver or 
conservator.
    In addition to that statutory authority, another section of the Act 
provides authority to FCA to require the production of System 
institution records. Section 5.9(4) of the Act provides FCA the power 
to require such reports as it deems necessary from System 
institutions.\3\ Additionally, section 5.22A of the Act and Sec.  
621.12(a) of FCA regulations require each System institution to prepare 
and file such reports of condition and performance as may be required 
by FCA. Further clarification is provided in Sec.  621.12(b) of FCA 
regulations, which states that these reports of condition and 
performance must be filed four times a year and may include such 
additional reports as may be necessary to ensure timely, complete, and 
accurate monitoring and evaluation of the affairs, condition, and 
performance of System institutions as determined by the Chief Examiner. 
In addition, Sec.  621.12(c) of FCA regulations requires all reports of 
condition and performance to be submitted electronically in accordance 
with the instructions prescribed by FCA.
---------------------------------------------------------------------------

    \3\ Further, under section 5.17(a)(11) of the Act, FCA may 
``[e]xercise such incidental powers as may be necessary or 
appropriate to fulfill its duties and carry out the purposes of 
{the{time}  Act.''
---------------------------------------------------------------------------

    For over a decade, FCA has collected detailed asset reports through 
loan data extracts from System institutions to facilitate examination 
activities and risk evaluation, and shared this data with the Farm 
Credit System Insurance Corporation (FCSIC) on a confidential basis 
subject to an interagency agreement. The need for consistent, 
comprehensive, and comparable data across all System institutions has 
evolved, as the complexity and volume of assets has increased. The 
availability of quality and timely data on accounts and exposures, 
including any loan, lease, letter of credit, derivative, or, any other 
asset, liability, other balance sheet account, or off-balance-sheet 
exposure, has become critical to efficient and effective examination 
activities and risk evaluation. Accordingly, we continue to

[[Page 77558]]

work with the System to collect more comprehensive data submissions and 
enhance the reporting to facilitate the evaluation of changing lending 
risks and conditions.
    An integral component of FCA's and FCSIC's ability to quickly and 
accurately identify and respond to risk is the collection of data on, 
and identification of, shared assets. Shared assets are any account or 
exposure where two or more System institutions have assumed a portion 
of the asset's benefits or risks. On October 3, 2012, the FCA Board 
approved Bookletter BL-065, which describes FCA's expectations that 
each System institution and its board of directors establish and 
implement an automated mechanism to consistently identify shared asset 
exposures. Bookletter BL-065 continues to contain pertinent guidance 
for System institutions. After the central data repository is completed 
by the Reporting Entity, including the implementation of an automated 
mechanism to accurately identify the System's shared asset exposures, 
FCA will evaluate whether to rescind Bookletter BL-065.
    In addition to other objectives, and in order to facilitate the 
identification of shared asset exposures and enable System risk 
assessment, System banks and associations are working with the Funding 
Corporation to create a central data repository to collect and store 
data from all System banks and associations, establish an automated 
mechanism to timely and accurately identify the System's shared asset 
exposures, and report Systemwide accounts and exposures on behalf of 
the System banks and associations to FCA. The Funding Corporation, in 
coordination with the banks and associations, is in the process of 
developing and deploying the central data repository and plans to 
assume the role of the Reporting Entity for the banks' and 
associations' reports of accounts and exposures by yearend 2014.
    We believe the final rule provides a uniform system and process for 
the reporting of accounts and exposures. The final rule reaffirms FCA's 
authority to collect data from the System and communicates the 
authority for, and responsibilities of, the Reporting Entity to collect 
data on behalf of the System banks and associations for delivery to 
FCA. The final rule also confirms FCA's authority to share examination 
reports or other information on System institutions prepared or held by 
FCA with FCSIC, subject to appropriate security and controls.
    The final rule requires the banks, associations, and Reporting 
Entity to establish a system of internal controls over the data. 
Additionally, the banks and associations must establish a data 
governance structure with the Reporting Entity to document the 
responsibilities and accountabilities for the conveyance, storage, and 
uses of the information stored in the central data repository. This 
data governance structure should establish agreement among the banks, 
associations, and Reporting Entity and must be in place prior to the 
first transfer of data to the Reporting Entity.
    During the System's data repository development phase, the banks 
and associations will continue to prepare and submit the reports of 
accounts and exposures to FCA in accordance with the instructions 
prescribed by FCA under Sec.  621.15(a) of this final rule. Upon 
satisfactory demonstration by the Reporting Entity of the ability to 
prepare reliable, timely, complete and accurate reporting of accounts 
and exposures, FCA will accept report(s) of all banks' and 
associations' accounts and exposures from the Reporting Entity, acting 
on behalf of the banks and associations. FCA will establish a delayed 
compliance date for the Reporting Entity's responsibilities under Sec.  
621.15(b)(1) through (b)(6) during the data repository development 
phase.
    FCA understands that the development of the central data repository 
is a necessary precursor to the automated identification and reporting 
of shared exposures. However, FCA expects timely implementation of the 
System's mechanism to identify shared asset exposures as required in 
Sec.  621.15(b)(3) once the data repository is complete. Since the 
identification of shared asset and customer exposures at the System 
level through an automated mechanism is not yet implemented, we will 
establish a delayed compliance date as previously discussed.
    The System's ultimate success of implementing a process for 
reporting shared exposures is dependent upon the cooperation and 
collaboration of the banks, associations, and Reporting Entity. We also 
understand that identification, management, and control of shared 
assets will primarily rest at the bank and association level and will 
be reported by the banks and associations in their quarterly reports. 
However, the responsibility of accumulating the shared assets to the 
shared customer level will primarily rest with the Reporting Entity. As 
such, the Reporting Entity is not only a conduit to submit the banks 
and associations reports of accounts and exposures, but is also 
necessary to establish and report accurate System shared exposures. Due 
to this interdependency, we expect continual and thorough collaboration 
and cooperation to ensure the mechanism to identify shared exposures is 
timely, accurate and complete. The data dictionary and instructions 
will specify the various components of the shared asset identifiers 
such as the shared asset number, the shared customer number and the 
System customer lead. FCA will continue to collaborate with the System 
on the specifics for identifying shared exposures through the data 
dictionary and instructions published on the FCA Web site.
    The final regulation requires the Reporting Entity to notify FCA 
immediately in writing of the following events: (1) If there is a 
breach of information; (2) if there is a request for data from the 
reports of accounts and exposures from non-System entities; or, (3) if 
it is unable to prepare and submit the report(s) of accounts and 
exposures in compliance with the regulation. Additionally, in the event 
of a breach of information, the Reporting Entity must provide immediate 
written notice of the breach to each bank and association concerned.
    The Reporting Entity may request that the banks and associations 
appoint a replacement Reporting Entity to assume the authorities and 
reporting obligations of the Reporting Entity. Additionally, the banks 
and associations at their discretion, and with the approval of the FCA, 
may elect to select a replacement Reporting Entity to assume the 
authorities and reporting obligations of the Reporting Entity.
    The proposed rule, which was published for public comment for 30 
days, generated five comment letters, four of which were generally 
supportive. One comment letter opposed the proposed regulation in its 
entirety. After considering the comments, we now finalize the proposed 
provisions as discussed below.

III. Discussion of Comment Letters and Section-by-Section Analysis of 
Final Rule

    The five comment letters we received came from one Farm Credit Bank 
(AgriBank, FCB); three System agricultural credit associations (Farm 
Credit East, ACA, Greenstone Farm Credit Services, ACA, and River 
Valley AgCredit, ACA); and the Farm Credit Council (Council) acting on 
behalf of its membership. These letters contained a number of 
constructive comments that resulted in changes to a number of 
provisions in the proposed rule.

[[Page 77559]]

General Issues

    Four commenters support our efforts to set up a regulatory 
framework, but ask that we continue to cooperate with System 
institutions regarding changes to data submission requirements so that 
an appropriate balance remains between the need to evaluate changing 
lending risks and the cost of regulatory burden to the System. The 
concept of a central data repository has been a collaborative and 
cooperative approach between the System and FCA to ensure all parties' 
needs are adequately met and addressed. We intend to continue to 
collaborate and to provide the banks, associations, and Reporting 
Entity with ample opportunity to provide input on any anticipated 
changes to the data submission requirements or instructions. In our 
response below to comments on certain provisions of the proposed rule, 
we have made some changes to further clarify our intended process for 
changes to data submission requirements and to limit the regulatory 
burden on the System.
    The commenter that opposed the rule in its entirety was concerned 
with sending confidential borrower information to the Reporting Entity. 
We understand and share this concern and believe we have included 
requirements in the regulation to address it. Specifically, the final 
rule requires the Reporting Entity to develop and implement an 
effective system of internal controls over the central data repository 
to ensure the confidentiality of borrower information. In addition, we 
expect the banks and associations to establish a data governance 
structure that documents agreement among the banks, associations, and 
Reporting Entity on the responsibilities and accountabilities for 
information stored in the central data repository. Finally, we also 
require the immediate reporting of any breach of information to FCA and 
each bank and association concerned.
    This commenter is also concerned with the increased cost due to the 
regulation. We believe that the availability of quality and timely data 
on accounts and exposures is paramount to efficient and effective 
examination activities and risk evaluation, as well as the System's own 
risk-management practices. We believe that establishing a central data 
repository, including an automated mechanism to accurately identify 
shared asset exposures, is a prudent expense that provides both FCA and 
the System (including this commenter) with the ability to timely 
evaluate risks and conditions, and respond appropriately.
1. Authority To Promulgate the Regulation
    FCA cited section 5.22A of the Act as the basis to require a System 
institution to submit loan data. A commenter questioned whether section 
5.22A was the proper authority to promulgate this regulation. Although 
the commenter acknowledged FCA's inherent authority to access System 
institution accounts and exposure data for examination activities and 
support the overall process outlined in the proposed regulation, the 
commenter was concerned that we cited an incorrect authority for the 
collection of the data.
    The commenter stated that the proposed rule provides a consolidated 
and efficient approach for submitting data from the System to FCA. 
However, the commenter stated that it is a ``stretch'' to call the 
submission of loan and other similar data at the record level a uniform 
financial report as contemplated in section 5.22A of the Act. The 
commenter asserts that financial reporting means balance sheet, income 
statements, and related supporting schedules, even though FCA has the 
authority to interpret the statute.
    Section 5.22A of the Act requires System institutions to comply 
with FCA's uniform financial reporting instructions. Section 5.22A was 
cited in Bookletter BL-065, which was the genesis for the proposed 
regulation. The Bookletter provides FCA's expectations for System 
institutions to establish and implement an automated mechanism to 
identify and report shared asset exposures. Section 5.22A of the Act 
provides, in pertinent part, that each System institution shall comply 
with uniform financial reporting instructions required by the Farm 
Credit Administration to standardize and facilitate the reporting of 
System data.
    The commenter suggests section 4.12(b)(5) of the Act as authority 
for the regulation. Although we continue to believe that section 5.22A 
of the Act authorizes the regulation, we have included section 
4.12(b)(5) as additional authority. Section 4.12(b)(5) of the Act 
provides that the FCA Board may appoint a conservator or receiver for 
any System institution that does not provide FCA with access to the 
``books, papers, records, or assets of the institution.
    Including this additional authority source should provide the 
balance that the commenter desired and reassurance concerning the types 
of information retained by System institutions. Also, as a technical 
matter, we added section 5.22A of the Act as authority for this 
regulation. We had included a discussion of this section in the 
preamble to the proposed rule but inadvertently omitted it from the 
authority citations.
2. Notice and Comment on Instructions
    The proposed regulation provides that the banks and associations 
submit the reports of accounts and exposures in accordance with the 
instructions provided by FCA. The Council recommended that the rule be 
revised to provide for notice and comment when FCA changes any of its 
instructions on the reports of accounts and exposures. The Council 
asserts that the Administrative Procedure Act, 5 U.S.C. 553 (APA), 
requires that new instructions be subject to the notice and comment 
requirements. Another commenter asserted that the open-ended nature of 
the information collection process in the instructions is inappropriate 
in that it lacks balance and could be burdensome. As discussed below, 
we believe that the APA does not require notice and comment on the 
instructions for the submission of the accounts and exposure data and 
that the instructions will be appropriate.
    The APA establishes, in pertinent part, that an agency must publish 
a proposed rule for notice and comment. By definition, a rule is an 
agency statement of general or particular applicability. A rule does 
not include an agency's ``housekeeping provisions.''
    We do not believe that the instructions for the submission of 
accounts and exposures data are a regulation. The instructions are not 
an agency statement of general or particular applicability. Rather, we 
believe that the instructions are procedural on their face and do not 
change substantive standards for the submission of the data by the 
System institutions. The instructions do not alter the rights or 
interests of the System institutions, although the instructions may 
alter the information and how it is provided to FCA. A procedural rule 
does not become a substantive one for notice and comment purposes 
simply because it arguably imposes a ``burden'' on the System.
    We do, however, intend to continue to engage in comprehensive 
collaboration and communication with the banks, associations, and 
Reporting Entity. We will provide all parties with sufficient time to 
review any proposed changes to the data dictionary and instructions and 
respond to us with any concerns, including the appropriateness of the 
data requirements and any burden.
    In the future, FCA may amend the instructions, including the data 
dictionary, as the System and FCA continue to assess data needs. FCA 
intends to initiate an annual

[[Page 77560]]

collaborative review of the data dictionary and corresponding 
instructions and provide any details on recommended changes to all 
parties in order to receive their comments and input prior to 
initiating any changes. This will ensure the System has the opportunity 
to provide adequate input to changes in the data submission 
requirements and in developing instructions on System data collection 
and storage. FCA plans to inform System institutions of proposed 
changes to the instructions and allow System institutions ample time to 
respond to any changes on the content of information to be provided or 
on the appropriate method of delivering information to the Reporting 
Entity or FCA. We believe that this process provides adequate balance 
to ensure that the information collected is appropriate for examination 
activities and risk analysis. However, exigent circumstances could 
mandate more frequent changes to the instructions, with or without 
System input.
    The process we have discussed is consistent with the existing 
process for issuing instructions for providing ``Uniform Call 
Reports.'' We continue to believe, as first stated in Bookletter BL-065 
that ``[c]ollaboration by the System will improve the mechanisms and 
disciplines necessary to effectively assess and report shared-asset 
risks in a timely, complete and accurate manner.'' We have confidence 
that this approach balances the needs of FCA to collect uniform and 
standardized data for examination and risk analysis with the needs of 
System institutions to collect the data needed and used for business or 
risk management purposes. Additionally, to clarify an additional 
comment on this topic, FCA's instructions on the data submission 
requirements apply uniformly to all banks and associations.
3. Effective Date
    Several of the commenters requested that we carefully consider the 
effective date of this regulation to ensure the System institutions 
have sufficient time to comply with the requirements. This regulation 
will become effective 30 days after publication in the Federal Register 
during which either or both Houses of Congress are in session. FCA will 
establish a delayed compliance date for the Reporting Entity's 
requirements under Sec.  621.15(b)(1) through (b)(6) of the rule to 
allow for the development of and transition to the System's central 
data repository. Accordingly, the compliance date for Sec.  
621.15(b)(1) through (b)(6) requirements will be published separately 
in the Federal Register. All other sections and requirements of the 
regulation require compliance on the effective date of the regulation.
    As discussed in the preamble, we expect the banks and associations 
to continue preparing and submitting the reports of accounts and 
exposures to FCA under the current established data dictionary and 
instructions prescribed by FCA. This current submission of data will 
continue until such time as the Reporting Entity completes the 
development and implementation of the central data repository and 
satisfactorily demonstrates the ability to prepare and deliver to FCA 
reliable, timely, complete and accurate reporting of accounts and 
exposures, including the identification of shared asset exposures. When 
this occurs, FCA will accept report(s) of all banks' and associations' 
accounts and exposures from the Reporting Entity, acting on behalf of 
the banks and associations. FCA understands that the identification of 
shared asset and customer exposures at the System level is not yet 
implemented and therefore, as stated previously, a delayed compliance 
date will be established for these requirements of the rule.

Specific Issues

1. Sharing Data on Third-Party Systems or With Contractors [new Sec.  
602.2(c)]
    The proposed rule would establish a confidentiality and data 
security agreement requirement between FCA and FCSIC when accounts and 
exposures data is shared between the two agencies.\4\
---------------------------------------------------------------------------

    \4\ Section 5.59(a)(5) of the Act provides that FCSIC, to the 
extent practicable, shall use the personnel and resources of FCA to 
minimize duplication of effort and to reduce costs. Under section 
5.59(b), if the FCSIC Board considers it necessary to examine an 
insured System bank or a System association or any System 
institution in receivership, it may use FCA examiners to conduct the 
examination using reports and other information on the System 
institution prepared or held by FCA. If the FCSIC Board determines 
that such reports or information are not adequate to enable FCSIC to 
carry out the duties of FCSIC under section 5.59(b), it may request 
FCA to examine or to obtain other information from or about the 
System institution and provide FCSIC the resulting examination 
report or such other information. See also section 5.19(d) of the 
Act.
---------------------------------------------------------------------------

    The Council and another commenter stated they were extremely 
concerned over: (1) The security of FCA or FCSIC storing accounts and 
exposures data on third-party systems; and (2) FCSIC providing the data 
to third-party contractors or vendors. They recommended we update the 
regulatory language to ensure that FCSIC cannot release the data to a 
vendor or any other third party and that the data must remain on FCA or 
FCSIC systems at all times.
    We understand and share the commenters' concerns with data 
security. However, we believe that the Sec.  602.2(c) requirement for a 
confidentiality and data security agreement between FCA and FCSIC 
adequately ensures the integrity, confidentiality, and security of the 
data. Safeguarding borrower information is of paramount importance to 
the System and FCA.
    As to the comment concerning providing access to contractors, the 
interagency agreement between FCA and FCSIC governs and protects 
borrower data in any form and includes restrictions on sharing the data 
with contractors. These safeguards are appropriate for this type of 
data and provide FCA and FCISC the necessary access to the information 
while protecting it from unauthorized access and use. We also note that 
pursuant to Federal statute, FCA does not waive any privilege by 
sharing information with FCSIC. See 12 U.S.C. 1821(t).
2. Bank and Association Certification Requirement [new Sec.  
621.15(a)(2)]
    The proposed rule would require each bank and association to 
provide a written certification that the data submitted ``has been 
prepared in accordance with all applicable regulations and 
instructions, and is a true and accurate record of the data maintained 
in the bank's or association's database, to the best of its knowledge 
and belief.''
    The Council and other commenters suggested revising the 
certification requirement of the banks and associations to avoid the 
possible interpretation that FCA is prescribing what data a System 
institution maintains in its database. The Council asked for 
clarification that the term ``complete'' apply only to data that a bank 
and association has available electronically. In addition, one 
commenter stated that they are unable to certify that all of the actual 
information in their records, regarding any particular borrower, is 
fully accurate at any point in time because it is borrower provided.
    In order to address these concerns, we have modified the language 
in the final rule as requested to require that System institutions 
certify that their submissions are a ``true and accurate record of the 
data maintained by the bank or association, to the best of its 
knowledge and belief.'' Furthermore, we intended that each bank's and 
association's certification apply to the data submitted in its 
report(s) of

[[Page 77561]]

accounts and exposures and available in its databases.
3. Reporting Entity Certification Requirement [new Sec.  621.15(b)(4)]
    The proposed rule provides, in pertinent part, that the Reporting 
Entity must certify ``that the information provided in the report of 
each bank's and association's accounts and exposures has been prepared 
in accordance with all applicable regulations and instructions and 
accurately represents the information provided to it by the banks and 
associations.''
    The Council suggested revising the Reporting Entity's certification 
requirement. It believes the certification by the banks and 
associations is sufficient to ensure that the information in the report 
complies with the instructions.
    While we agree that the Reporting Entity does not need to certify 
that the banks and associations have complied with the instructions, 
the Reporting Entity is responsible for certifying its compliance with 
the instructions, particularly as they relate to the establishment and 
implementation of an automated mechanism to identify shared asset 
exposures. To address these comments, we have modified the language in 
the final rule to clarify that the Reporting Entity needs to certify 
that the report accurately represents the information provided to it by 
the banks and associations and that the Reporting Entity has complied 
with the requirements of Sec.  621.15(b).
4. Reporting Entity Notification if Unable To Prepare and Submit Report 
[new Sec.  621.15(b)(6)]
    The proposed rule provides, in pertinent part, that the Reporting 
Entity must ``[n]otify the Farm Credit Administration if it is unable 
to prepare and submit the quarterly report of accounts and exposures in 
compliance with the requirements of this section.''
    The Council requests that this provision be deleted. It believes 
that it is inappropriate to require the Reporting Entity to notify FCA 
when an individual institution fails to comply with the data submission 
requirements.
    FCA did not intend to hold the Reporting Entity responsible for 
notifying FCA of institution compliance or noncompliance with reporting 
responsibilities. Rather, FCA wants to be notified if the Reporting 
Entity is unable to submit the quarterly report to FCA for any reason, 
such as technical difficulties or if the accounts and exposures report 
to FCA from the Reporting Entity does not contain all banks' and 
associations' reports. In order to address the Council's concern, we 
have modified the language in the final rule to clarify that the 
Reporting Entity needs to notify FCA if it is unable to submit the 
quarterly report in compliance with the Reporting Entity's 
responsibilities as set forth in Sec.  621.15(b)(1) through (b)(3).
5. Information Breach [new Sec.  621.15(b)(7)]
    The proposed rule provides, in pertinent part, that the Reporting 
Entity would be required to immediately notify FCA and each concerned 
bank and association if there is a breach of information. Each bank and 
association would then determine whether any notice of the breach to 
any of its borrowers was required under applicable laws and 
regulations. The bank and association would be responsible for 
providing such notification to its borrowers. We defined ``breach of 
information'' to mean ``unauthorized acquisition of or access to the 
central data repository, any quarterly reports of accounts and 
exposures or any other information received pursuant to Sec.  
621.15(a)(1).''
    Commenters raised several issues regarding these proposed 
requirements. They were concerned with the Reporting Entity providing 
written notice ``immediately'' to FCA and each bank and association 
concerned, if there is an information breach. Commenters asked that the 
term ``immediately'' be revised to allow a greater time to report, such 
as 3 business days. Also, commenters requested that we delete the 
language in Sec.  621.15(b)(7)(ii) that the concerned bank and 
association determine whether any notice of the breach to any of its 
borrowers is required under applicable laws and regulations and, if so, 
that they are responsible for providing such notification. Commenters 
believe the language is not needed because the banks and associations 
are already required to comply with applicable laws and regulations. 
The commenters also requested that FCA clarify that the definition of 
``breach'' refers only to situations in which data has been actually 
accessed by an unauthorized person.
    FCA does not believe it appropriate to allow more time to report a 
security breach. FCA continues to believe that the report must be made 
``immediately'' because the extreme sensitivity of the data maintained 
in the central data repository makes it urgent to communicate an 
information breach. The term ``immediately'' in this context means 
without delay or at once. As to the deletion of the language in Sec.  
621.15(b)(7)(ii), we agree with the comment and have not included the 
specific language in this provision of the final rule. As noted in the 
proposed rule, the Reporting Entity is only responsible for notifying 
FCA and the bank and association concerned of any information breach. 
The bank or association concerned must comply with applicable laws and 
regulations regarding information security and should consider and 
follow best practices.
    Finally, in order to address the concern about the definition of 
``breach,'' we have modified Sec.  621.15(b)(7)(iii). In doing so, we 
do not believe ``breach'' should be limited to the occasion where data 
has actually been accessed by an unauthorized person. Instead, the 
modified definition is intended to capture attempts by unauthorized 
persons to access data and unauthorized possession of data.

IV. Regulatory Flexibility Act

    Pursuant to section 605(b) of the Regulatory Flexibility Act (5 
U.S.C. 601 et seq.), FCA hereby certifies that the final rule would not 
have a significant economic impact on a substantial number of small 
entities. Each of the banks in the Farm Credit System, considered 
together with its affiliated associations, has assets and annual income 
in excess of the amounts that would qualify them as small entities. 
Therefore, Farm Credit System institutions are not ``small entities'' 
as defined in the Regulatory Flexibility Act.

List of Subjects

12 CFR Part 602

    Courts, Freedom of information, Government employees.

12 CFR Part 618

    Agriculture, Archives and records, Banks, banking, Insurance, 
Reporting and recordkeeping requirements, Rural areas, Technical 
assistance.

12 CFR Part 621

    Accounting, Agriculture, Banks, banking, Penalties, Reporting and 
recordkeeping requirements, Rural areas.
    For the reasons stated in the preamble, parts 602, 618 and 621 of 
chapter VI, title 12 of the Code of Federal Regulations, are amended as 
follows:

[[Page 77562]]

PART 602--RELEASING INFORMATION

0
1. The authority citation for part 602 is revised to read as follows:

    Authority:  Secs. 5.9, 5.17, 5.59 of the Farm Credit Act (12 
U.S.C. 2243, 2252, 2277a-8); 5 U.S.C 301, 552; 12 U.S.C. 1821(t); 52 
FR 10012; E.O. 12600; 52 FR 23781, 3 CFR 1987, p. 235.

0
2. Section 602.2 is amended by:
0
a. Revising the heading;
0
b. Redesignating existing paragraph (c) as paragraph (d); and
0
c. Adding new paragraph (c) to read as follows:


Sec.  602.2  Disclosing reports of examination and other non-public 
information.

* * * * *
    (c) Disclosure to the Farm Credit System Insurance Corporation. 
Without waiving any privilege or limiting any of the requirements of 
section 5.59 of the Farm Credit Act of 1971, as amended, we may 
disclose reports of examination and other examination and non-public 
information, including data from reports of System accounts and 
exposures received pursuant to Sec.  621.15 of this chapter, to the 
Farm Credit System Insurance Corporation pursuant to confidentiality 
and data security agreements executed between the agencies.
* * * * *

PART 618--GENERAL PROVISIONS

0
3. The authority citation for part 618 continues to read as follows:

    Authority:  Secs. 1.5, 1.11, 1.12, 2.2, 2.4, 2.5, 2.12, 3.1, 
3.7, 4.12, 4.13A, 4.25, 4.29, 5.9, 5.10, 5.17, of the Farm Credit 
Act (12 U.S.C. 2013, 2019, 2020, 2073, 2075, 2076, 2093, 2122, 2128, 
2183, 2200, 2211, 2218, 2243, 2244, 2252.


Sec.  618.8300  [Amended]

0
4. Section 618.8300 is amended by removing the words ``as authorized in 
the following paragraphs'' and adding in their place, the words ``as 
authorized by Farm Credit Administration regulations (Sec. Sec.  
618.8300 through 618.8330)''.

0
5. Section 618.8310 is amended by adding a new paragraph (c) to read as 
follows:


Sec.  618.8310  Lists of borrowers and stockholders.

* * * * *
    (c) In connection with preparing and submitting an electronic 
report of all System accounts and exposures to the Farm Credit 
Administration in accordance with the requirements of Sec.  621.15 of 
this chapter, each bank and association may provide information from 
its lists of borrowers and stockholders to the Reporting Entity as 
defined in Sec.  621.2 of this chapter.

0
6. Section 618.8320 is amended by adding a new paragraph (b)(10) to 
read as follows:


Sec.  618.8320  Data regarding borrowers and loan applicants.

* * * * *
    (b) * * *
    (10) In connection with preparing and submitting an electronic 
report of all System accounts and exposures to the Farm Credit 
Administration in accordance with the requirements of Sec.  621.15 of 
this chapter, each bank and association may provide data on its 
accounts and exposures to the Reporting Entity as defined in Sec.  
621.2 of this chapter.
* * * * *

PART 621--ACCOUNTING AND REPORTING REQUIREMENTS

0
7. The authority citation for part 621 is revised to read as follows:

    Authority:  Secs. 4.12(b)(5), 5.17, 5.22A, 8.11 of the Farm 
Credit Act (12 U.S.C. 2183, 2252, 2257a, 2279aa-11); sec. 514 of 
Pub. L. 102-552.


0
8. Section 621.2 is amended by:
0
a. Redesignating paragraph (a) as paragraph (b), paragraph (b) as 
paragraph (d), and paragraphs (c) through (i) as paragraphs (f) through 
(l), respectively; and
0
b. Adding new paragraphs (a), (c), (e), (m) and (n) to read as follows:


Sec.  621.2  Definitions.

    (a) Accounts and exposures means data related to any loan, lease, 
letter of credit, derivative, or, any other asset, liability, other 
balance sheet account, or off-balance-sheet exposure of a System 
institution.
* * * * *
    (c) Banks and associations mean all Farm Credit Banks, Agricultural 
credit banks, and associations.
* * * * *
    (e) Central data repository means a central data warehouse that 
electronically collects and stores current and historical data and is 
created by integrating data from one or more disparate sources.
* * * * *
    (m) Reporting entity means the Federal Farm Credit Banks Funding 
Corporation, or other entity approved by the Farm Credit 
Administration.
    (n) Shared asset means any account or exposure where two or more 
Farm Credit institutions have assumed a portion of the asset's benefits 
or risks. An institution's share in the asset may be established 
through means such as syndications, participation agreements, 
assignments, or other arrangements with System entities.

0
9. Revise the heading of subpart D to read as follows:

Subpart D--Reports of Condition and Performance and Accounts and 
Exposures

0
10. Section 621.12 is amended by revising the heading to read as 
follows:


Sec.  621.12  Reports of condition and performance.

* * * * *

0
11. Add a new Sec.  621.15 to subpart D to read as follows:


Sec.  621.15  Reports of accounts and exposures.

    (a) Responsibilities of banks and associations for preparing and 
submitting reports. The banks and associations must prepare and submit 
an accurate and complete report of all bank and association accounts 
and exposures electronically to the Farm Credit Administration pursuant 
to the requirements of this part. In order to accomplish such 
submission, each bank and association must:
    (1) Prepare and submit an accurate and complete report of its 
accounts and exposures electronically to the Reporting Entity:
    (i) In accordance with the instructions prescribed by the Farm 
Credit Administration, or as may be required by the Farm Credit 
Administration; and
    (ii) Within 20 calendar days after each quarter-end date, and at 
such other times as the Farm Credit Administration may require.
    (2) Submit to the Farm Credit Administration and the Reporting 
Entity a written certification that the information provided in the 
report of accounts and exposures has been prepared in accordance with 
all applicable regulations and instructions, and is a true and accurate 
record of the data maintained by the bank or association, to the best 
of its knowledge and belief. The reports shall be certified by the 
officer of the reporting bank or association named for that purpose by 
action of the reporting bank's or association's board of directors. If 
the board of directors of the bank or association has not acted to name 
an officer to certify to the accuracy of its reports of accounts and 
exposures, then the reports shall be certified by the president or 
chief executive officer of the reporting bank or association. In the 
event the bank or association learns of

[[Page 77563]]

a material error or misstatement in the information submitted to the 
Reporting Entity, it must notify the Reporting Entity and the Farm 
Credit Administration immediately of the error or misstatement and 
prepare and submit corrected information as soon as practicable.
    (3) Respond promptly to any questions by the Reporting Entity 
related to information provided under this section in connection with 
the preparation of a report of accounts and exposures, including any 
data required to establish, implement and maintain consistent, 
accurate, and complete shared asset identification and reporting of 
shared asset exposures to the Farm Credit Administration.
    (4) Develop, implement, and maintain an effective system of 
internal controls over the data included in the report of accounts and 
exposures, including controls for maintaining the confidentiality of 
borrower information. The system of internal controls, at a minimum, 
must comply with the requirements of applicable Farm Credit 
Administration regulations, including Sec.  618.8430 of this chapter.
    (b) Responsibilities of the Reporting Entity for preparing and 
submitting reports. The Reporting Entity must:
    (1) Collect, store, and manage the information submitted to it by 
each bank and association under the requirements of this section in a 
central data repository in accordance with Farm Credit Administration 
regulations and prescribed instructions.
    (2) Prepare and submit an electronic quarterly report of the 
accounts and exposures of all banks and associations to the Farm Credit 
Administration in accordance with the instructions prescribed by the 
Farm Credit Administration or as may be required by the Farm Credit 
Administration.
    (3) Establish, implement, and maintain an automated mechanism to 
ensure the reliable, timely, accurate and consistent identification of 
the banks' and associations' shared asset exposures, and report these 
exposures and the shared asset identifiers in the electronic quarterly 
report of accounts and exposures to the Farm Credit Administration. In 
connection with establishing and implementing the automated shared 
asset identification mechanism, the Reporting Entity may provide the 
banks and associations information from the central data repository to 
identify and report shared asset exposures.
    (4) Submit to the Farm Credit Administration a written 
certification that the information provided to the Farm Credit 
Administration in the report of accounts and exposures of all banks and 
associations accurately represents the information provided to it by 
the banks and associations and that the Reporting Entity has complied 
with the requirements of Sec.  621.15(b). The reports shall be 
certified by the president or chief executive officer of the Reporting 
Entity. In the event the Reporting Entity learns of a material error or 
misstatement in the information submitted to the Farm Credit 
Administration, it must notify the Farm Credit Administration 
immediately of the error or misstatement and prepare and submit 
corrected information as soon as practicable.
    (5) Develop, implement, and maintain an effective system of 
internal controls over the central data repository, including controls 
for maintaining the confidentiality of borrower information. The system 
of internal controls, at a minimum, must comply with the requirements 
of applicable Farm Credit Administration regulations, including Sec.  
618.8430 of this chapter and require that the Reporting Entity:
    (i) Develop policies and procedures to ensure that the information 
submitted in the report of accounts and exposures to the Farm Credit 
Administration is complete and consistent with the information 
submitted to the Reporting Entity from the banks and associations under 
Sec.  621.15(a); and
    (ii) Specify procedures for monitoring any material corrections or 
adjustments, in a timely manner, and provide timely notification and 
resubmission of the report of accounts and exposures to the Farm Credit 
Administration.
    (6) Notify the Farm Credit Administration if it is unable to 
prepare and submit the quarterly report of accounts and exposures in 
compliance with the requirements of Sec.  621.15(b)(1) through (b)(3). 
The notification:
    (i) Must be signed by the chief executive officer, or person in an 
equivalent position, and submitted to the Farm Credit Administration as 
soon as the Reporting Entity becomes aware of its inability to comply;
    (ii) Must explain the reasons for its inability to prepare and 
submit the report; and
    (iii) May include a request that the Farm Credit Administration 
extend the due date for the quarterly report of accounts and exposures.
    (7) In the event there is a breach of information, immediately 
provide written notice of the breach to:
    (i) The Farm Credit Administration; and
    (ii) Each bank and association concerned;
    (iii) For the purposes of this section, ``breach of information'' 
means any actual or attempted unauthorized access, possession, use, 
disclosure, disruption, modification, or destruction of information in 
the central data repository, any reports of accounts and exposures, or 
any other information received pursuant to Sec.  621.15(a)(1).
    (8) Notify the Farm Credit Administration in writing of any request 
for data contained in the reports of accounts and exposures that are 
not explicitly allowed for in Sec.  618.8320(b) of this chapter.

    Dated: December 18, 2013.
Dale L. Aultman,
 Secretary, Farm Credit Administration Board.
[FR Doc. 2013-30717 Filed 12-23-13; 8:45 am]
BILLING CODE 6705-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.