Transferred OTS Regulations Regarding Safety and Soundness Guidelines and Compliance Procedures and Amendments, 5052-5063 [2015-01325]
Download as PDF
5052
Proposed Rules
Federal Register
Vol. 80, No. 20
Friday, January 30, 2015
This section of the FEDERAL REGISTER
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
DEPARTMENT OF ENERGY
10 CFR Part 430
[Docket No. EERE–2013–BT–STD–0051]
RIN 1904–AD09
Energy Efficiency Program for
Consumer Products: Energy
Conservation Standards for General
Service Lamps: Preliminary Technical
Support Document
Office of Energy Efficiency and
Renewable Energy, Department of
Energy.
ACTION: Extension of public comment
period.
AGENCY:
This document announces an
extension of the time period for
submitting comments, data and
information on the preliminary
technical support document (TSD) for
general service lamps (GSLs) energy
conservation standards published on
December 11, 2014. The comment
period is extended to February 23, 2015.
DATES: The comment period for the
preliminary TSD for GSLs published on
December 11, 2014 (79 FR 73503) is
extended to February 23, 2015.
ADDRESSES: Interested persons may
submit comments, identified by docket
number EERE–2013–BT–STD–0051
and/or Regulation Identification
Number (RIN) 1904–AD09, by any of the
following methods:
• Federal eRulemaking Portal:
www.regulations.gov. Follow the
instructions for submitting comments.
• Email: GSL2013STD0051@
ee.doe.gov. Include the docket number
EERE–2013–BT–STD–0051 and/or RIN
1904–AD09 in the subject line of the
message.
• Mail: Ms. Brenda Edwards, U.S.
Department of Energy, Building
Technologies Program, Mailstop EE–5B,
1000 Independence Avenue SW.,
Washington, DC 20585–0121. If
possible, please submit all items on a
compact disc (CD), in which case it is
not necessary to include printed copies.
[Please note that comments and CDs
rljohnson on DSK4SPTVN1PROD with PROPOSALS
SUMMARY:
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
sent by mail are often delayed and may
be damaged by mail screening
processes.]
• Hand Delivery/Courier: Ms. Brenda
Edwards, U.S. Department of Energy,
Building Technologies Program, 950
L’Enfant Plaza SW., Suite 600,
Washington, DC 20024. Telephone (202)
586–2945. If possible, please submit all
items on CD, in which case it is not
necessary to include printed copies.
Docket: The docket is available for
review at www.regulations.gov,
including Federal Register notices,
framework documents, public meeting
attendee lists and transcripts,
comments, and other supporting
documents/materials. All documents in
the docket are listed in the
www.regulations.gov index. However,
not all documents listed in the index
may be publicly available, such as
information that is exempt from public
disclosure.
The rulemaking Web page can be
found at: https://www1.eere.energy.gov/
buildings/appliance_standards/
rulemaking.aspx/ruleid/83. This Web
page contains a link to the docket for
this notice on the regulation.gov site.
The www.regulations.gov Web page
contains instructions on how to access
all documents in the docket, including
public comments.
FOR FURTHER INFORMATION CONTACT: Ms.
Lucy deButts, U.S. Department of
Energy, Office of Energy Efficiency and
Renewable Energy, Building
Technologies, EE–5B, 1000
Independence Avenue SW.,
Washington, DC 20585–0121.
Telephone: (202)-287–1604. Email:
GSL@ee.doe.gov.
In the Office of the General Counsel,
contact Ms. Celia Sher, U.S. Department
of Energy, Office of the General Counsel,
GC–33, 1000 Independence Avenue
SW., Washington, DC 20585–0121.
Telephone: (202) 287–6122. Email:
Celia.Sher@hq.doe.gov.
SUPPLEMENTARY INFORMATION: On
December 11, 2014, the U.S. Department
of Energy (DOE) published a notice of
public meeting and availability of the
preliminary TSD in the Federal Register
to make available and invite comments
on the preliminary analysis for
establishing energy conservation
standards for GSLs. 79 FR 73503. The
notice provided for the written
submission of comments by February 9,
2015, and oral comments were also
PO 00000
Frm 00001
Fmt 4702
Sfmt 4702
accepted at a public meeting held on
January 20, 2015. The National
Electrical Manufacturers Association
requested an extension of the public
comment period to ensure adequate
time to consider the preliminary
technical support document and public
meeting presentation, and to prepare
and submit comments accordingly.
DOE has determined that an extension
of the public comment period is
appropriate to allow interested parties
additional time to submit comments for
DOE’s consideration. Thus, DOE is
extending the comment period by 14
days. DOE will consider any comments
received by midnight of February 23,
2015 to be timely submitted.
Issued in Washington, DC, on January 26,
2015.
Kathleen B. Hogan,
Deputy Assistant Secretary for Energy
Efficiency, Energy Efficiency and Renewable
Energy.
[FR Doc. 2015–01779 Filed 1–29–15; 8:45 am]
BILLING CODE 6450–01–P
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 308, 364 and 391
RIN 3064–AE28
Transferred OTS Regulations
Regarding Safety and Soundness
Guidelines and Compliance
Procedures and Amendments
Federal Deposit Insurance
Corporation.
ACTION: Notice of proposed rulemaking.
AGENCY:
In this notice of proposed
rulemaking, the Federal Deposit
Insurance Corporation (FDIC) proposes
to rescind and remove from the Code of
Federal Regulations 12 CFR part 391,
subpart B, entitled ‘‘Safety and
Soundness Guidelines and Compliance
Procedures’’ and Appendix A and B to
part 391, subpart B and supplement A
to appendix B. With few exceptions
addressed below, the requirements for
state savings associations in part 391,
subpart B, are substantively similar to
those in the FDIC’s 12 CFR part 308,
subpart R, and in the FDIC’s 12 CFR part
364.
Upon the completion of these
proposed changes, the ‘‘Standards for
Safety and Soundness’’ for all insured
SUMMARY:
E:\FR\FM\30JAP1.SGM
30JAP1
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
depository institutions for which the
FDIC has been designated the
appropriate Federal banking agency will
be found at part 364 and the
‘‘Submission and Review of Safety and
Soundness Compliance Plans and
Issuance of Orders to Correct Safety and
Soundness Deficiencies’’ for all insured
depository institutions for which the
FDIC has been designated the
appropriate Federal banking agency will
be found at part 308, subpart R.
DATES: Comments must be received on
or before March 31, 2015.
ADDRESSES: You may submit comments
by any of the following methods:
• FDIC Web site: https://www.fdic.gov/
regulations/laws/federal/. Follow
instructions for submitting comments
on the agency Web site.
• FDIC Email: Comments@fdic.gov.
Include RIN 3064–AE28 on the subject
line of the message.
• FDIC Mail: Robert E. Feldman,
Executive Secretary, Attention:
Comments, Federal Deposit Insurance
Corporation, 550 17th Street NW.,
Washington, DC 20429.
• Hand Delivery to FDIC: Comments
may be hand-delivered to the guard
station at the rear of the 550 17th Street
Building (located on F Street) on
business days between 7 a.m. and 5 p.m.
Please include your name, affiliation,
address, email address, and telephone
number(s) in your comment. Where
appropriate, comments should include a
short Executive Summary consisting of
no more than five single-spaced pages.
All statements received, including
attachments and other supporting
materials, are part of the public record
and are subject to public disclosure.
You should submit only information
that you wish to make publicly
available.
Please note: All comments received will be
posted generally without change to https://
www.fdic.gov/regulations/laws/federal/,
including any personal information
provided. Paper copies of public comments
may be requested from the Public
Information Center by telephone at 1–877–
275–3342 or 1–703–562–2200.
rljohnson on DSK4SPTVN1PROD with PROPOSALS
FOR FURTHER INFORMATION CONTACT:
Rebecca M. Parks, Review Examiner,
Division of Risk Management
Supervision (202) 898–3912; Jann L.
Harley, Senior Attorney, Legal Division
(312) 382–6535; and Michael P. Condon,
Counsel, Legal Division (202) 898–6536.
SUPPLEMENTARY INFORMATION:
I. Background
The Dodd-Frank Act
The Dodd-Frank Act provided for a
substantial reorganization of the
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
regulation of State and Federal savings
associations and their holding
companies. Beginning July 21, 2011, the
transfer date established by section 311
of the Dodd-Frank Act, codified at 12
U.S.C. 5411, the powers, duties, and
functions formerly performed by the
OTS were divided among the FDIC, as
to State savings associations, the Office
of the Comptroller of the Currency
(‘‘OCC’’), as to Federal savings
associations, and the Board of
Governors of the Federal Reserve
System (‘‘FRB’’), as to savings and loan
holding companies. Section 316(b) of
the Dodd-Frank Act, codified at 12
U.S.C. 5414(b), provides the manner of
treatment for all orders, resolutions,
determinations, regulations, and
advisory materials that had been issued,
made, prescribed, or allowed to become
effective by the OTS. The section
provides that if such materials were in
effect on the day before the transfer
date, they continue in effect and are
enforceable by or against the
appropriate successor agency until they
are modified, terminated, set aside, or
superseded in accordance with
applicable law by such successor
agency, by any court of competent
jurisdiction, or by operation of law.
Section 316(c) of the Dodd-Frank Act,
codified at 12 U.S.C. 5414(c), further
directed the FDIC and the OCC to
consult with one another and to publish
a list of the continued OTS regulations
which would be enforced by the FDIC
and the OCC, respectively. On June 14,
2011, the FDIC’s Board of Directors
approved a ‘‘List of OTS Regulations to
be Enforced by the OCC and the FDIC
Pursuant to the Dodd-Frank Wall Street
Reform and Consumer Protection Act.’’
This list was published by the FDIC and
the OCC as a Joint Notice in the Federal
Register on July 6, 2011.1
Although section 312(b)(2)(B)(i)(II) of the
Dodd-Frank Act, codified at 12 U.S.C.
5412(b)(2)(B)(i)(II), granted the OCC
rulemaking authority relating to both State
and Federal savings associations, nothing in
the Dodd-Frank Act affected the FDIC’s
existing authority to issue regulations under
the FDI Act and other laws as the
‘‘appropriate Federal banking agency’’ or
under similar statutory terminology. Section
312(c) of the Dodd-Frank Act amended the
definition of ‘‘appropriate Federal banking
agency’’ contained in Section 3(q) of the FDI
Act, 12 U.S.C. 1813(q), to add State savings
associations to the list of entities for which
the FDIC is designated as the ‘‘appropriate
Federal banking agency.’’ As a result, when
the FDIC acts as the designated ‘‘appropriate
Federal banking agency’’ (or under similar
terminology) for State savings associations, as
it does here, the FDIC is authorized to issue,
1 76
PO 00000
FR 39247 (July 6, 2011).
Frm 00002
Fmt 4702
Sfmt 4702
5053
modify, and rescind regulations involving
such associations, as well as for State
nonmember banks and insured branches of
foreign banks.
As noted, on June 14, 2011, operating
pursuant to this authority, the FDIC’s
Board of Directors reissued and
redesignated certain transferring
regulations of the former OTS. These
transferred OTS regulations were
published as new FDIC regulations in
the Federal Register on August 5, 2011.2
When it republished the transferred
OTS regulations as new FDIC
regulations, the FDIC specifically noted
that its staff would evaluate the
transferred OTS rules and might later
recommend incorporating the
transferred OTS regulations into other
FDIC rules, amending them, or
rescinding them, as appropriate.
One of the OTS’s rules transferred to
the FDIC governs safety and soundness
guidelines, the submission and review
of safety and soundness compliance
plans, and the issuance of orders to
correct safety and soundness
deficiencies. The OTS’s rule, formerly
found at 12 CFR part 570, was
transferred to the FDIC with only
nomenclature changes and is now found
in the FDIC’s rules at part 391, subpart
B, entitled ‘‘Safety and Soundness
Guidelines and Compliance
Procedures.’’ The ‘‘Interagency
Guidelines Establishing Standards for
Safety and Soundness’’ were found at
appendix A to part 391, subpart B, the
‘‘Interagency Guidelines Establishing
Information Security Standards’’ were
found at appendix B to part 391, subpart
B, and the ‘‘Interagency Guidance on
Response Programs for Unauthorized
Access to Customer Information and
Customer Notice’’ were found at the
supplement to appendix B to part 391,
subpart B. Before the transfer of the OTS
rules and continuing today, the FDIC’s
rules contained part 364, entitled
‘‘Standards for Safety and Soundness,’’
a rule establishing safety and soundness
standards for State nonmember insured
banks and to State-licensed insured
branches of foreign banks, that are
subject to section 39 of the FDI Act, 12
U.S.C. 1831p–1. Part 364 also
established safety and soundness
standards relating to information
security for State nonmember insured
banks, insured State licensed branches
of foreign banks, and any subsidiaries of
such entities (except brokers, dealers,
persons providing insurance,
investment companies, and investment
advisors) as set out in appendix B to
part 364, the ‘‘Interagency Guidelines
Establishing Information Security
2 76
E:\FR\FM\30JAP1.SGM
FR 47652 (Aug. 5, 2011).
30JAP1
5054
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
rljohnson on DSK4SPTVN1PROD with PROPOSALS
Standards’’ and supplement A to
appendix B to part 364, the ‘‘Interagency
Guidance on Response Programs for
Unauthorized Access to Customer
Information and Customer Notice.’’
Additionally, before the transfer of the
OTS rules and continuing today, the
FDIC’s rules contained part 308, subpart
R, entitled ‘‘Submission and Review of
Safety and Soundness Compliance Plans
and Issuance of Orders to Correct Safety
and Soundness Deficiencies.’’
After careful review and comparison
of part 391, subpart B and part 308,
subpart R, and part 364 and its
accompanying appendices and
supplement to appendices, the FDIC
proposes to rescind subpart B of part
391 because, as discussed below, it is
substantively redundant to existing part
308, subpart R, and part 364 and the
accompanying appendices A and B and
supplement A to appendix B.
Furthermore, to clarify that part 308,
subpart R, and part 364 and its
accompanying appendices A and B and
supplement A to appendix B, apply to
all insured depository institutions for
which the FDIC has been designated the
appropriate Federal banking agency, the
FDIC proposes to amend part 308,
subpart R, and part 364 and to reissue
the appendices and supplement A to
appendix B to part 364 to add ‘‘State
savings associations’’ within the list of
institutions to which the rules and the
appendices apply.
FDIC’s Existing 12 CFR Part 308,
Subpart R
Section 132 of the Federal Deposit
Insurance Corporation Improvement Act
of 1991 (FDICIA), Public Law 102–242,
added Section 39 to the FDI Act (12
U.S.C. 21 1831p–1), which required
each Federal banking agency to
establish by regulation certain safety
and soundness standards for the insured
depository institutions for which it was
the primary Federal regulator. Section
39 of the FDI Act was further amended
on September 23, 1994 by section 318
of the Riegle Community Development
and Regulatory Improvement Act of
1994, Public Law 103–325. In response
to Section 39 of the FDI Act, the FDIC
adopted subpart R of part 308 in 1995
to address the submission and review of
safety and soundness compliance plans
and issuance of orders to correct safety
and soundness deficiencies.
FDIC’s Existing 12 CFR Part 364 and
Appendices A and B and Supplement A
to Appendix B
Section 132 of the Federal Deposit
Insurance Corporation Improvement Act
of 1991 (FDICIA), Public Law 102–242,
added Section 39 to the FDI Act (12
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
U.S.C. 21 1831p–1), which required
each Federal banking agency to
establish by regulation certain safety
and soundness standards for the insured
depository institutions for which it was
the primary Federal regulator. Section
39 of the FDI Act was further amended
on September 23, 1994 by section 318
of the Riegle Community Development
and Regulatory Improvement Act of
1994, Public Law 103–325. In response
to Section 39 of the FDI Act, the FDIC
adopted part 364 in 1995 and appendix
A to part 364, the ‘‘Interagency
Guidelines Establishing Standards for
Safety and Soundness,’’ in 1995. The
FDIC adopted appendix B to part 364,
the ‘‘Interagency Guidelines
Establishing Information Security
Standards,’’ in 1998. The FDIC adopted
supplement A to appendix B to part
364, the ‘‘Interagency Guidance on
Response Programs for Unauthorized
Access to Customer Information and
Customer Notice,’’ in 2005.
Former OTS’s 12 CFR Part 570
(transferred to FDIC’s Part 391,
Subpart B)
In 1995, the OTS adopted 12 CFR part
570 as a final rule governing safety and
soundness guidelines and compliance
procedures for State savings
associations. The OTS adopted
appendix A to part 570, the
‘‘Interagency Guidelines Establishing
Standards for Safety and Soundness,’’ in
1995, adopted appendix B to part 570,
the ‘‘Interagency Guidelines
Establishing Information Security
Standards,’’ in 1998, and adopted the
supplement to appendix B, the
‘‘Interagency Guidance on Response
Programs for Unauthorized Access to
Customer Information and Customer
Notice,’’ in 2005.
Despite the differences addressed
above and minor technical nuances, the
OTS’s rule was otherwise substantively
similar to the FDIC’s rules governing
safety and soundness guidelines and
compliance procedures found in part
308, subpart R, and part 364 and its
accompanying appendices. After careful
comparison of the OTS part 570 (which
existed prior to the transfer of the OTS
rules to part 391) with the FDIC’s part
308, subpart R, and the FDIC’s part 364,
the FDIC has concluded that the
transferred OTS rules found at part 391,
subpart B, and the accompanying
guidelines found in appendices A and B
and the supplement to appendix B, are
substantively redundant. Therefore,
based on the above, the FDIC proposes
to rescind and remove from the Code of
Federal Regulations the rules located at
part 391, subpart B.
PO 00000
Frm 00003
Fmt 4702
Sfmt 4702
II. The Proposal
Regarding the functions of the former
OTS that were transferred to the FDIC,
Section 316(b)(3) of the Dodd-Frank Act,
12 U.S.C. 5414(b)(3), in pertinent part,
provides that the former OTS’s
regulations will be enforceable by the
FDIC until they are modified,
terminated, set aside, or superseded in
accordance with applicable law. After
reviewing the rules and accompanying
appendices currently found in part 391,
subpart B, the FDIC, as the appropriate
Federal banking agency for State savings
associations, proposes to rescind part
391, subpart B in its entirety. The FDIC
also proposes to amend part 364 and
appendix A and B and supplement A to
appendix B to include State savings
associations within the scope of the
regulation and guidelines. The FDIC
also proposes to amend part 308,
subpart R to apply to State savings
associations. If the proposal is finalized,
the safety and soundness guidelines in
part 364 and its accompanying
appendices and supplement to
appendices would apply to all FDICsupervised institutions, and the
procedures found in part 308, subpart R,
for the submission and review of safety
and soundness compliance plans and
issuance of orders to correct safety and
soundness deficiencies would also
apply to all FDIC-supervised
institutions. Part 391, subpart B would
be removed because it is redundant of
the rules found in part 364 and part 308,
subpart R. Rescinding part 391, subpart
B, will serve to streamline the FDIC’s
rules and eliminate unnecessary
regulations.
III. Request for Comments
The FDIC invites comments on all
aspects of this proposed rulemaking,
and specifically requests comments on
the following:
(1.) Are the provisions of part 308,
subpart R, sufficient to establish
effective procedures for the submission
and review of safety and soundness
compliance plans and issuance of orders
to correct safety and soundness
deficiencies would also apply to all
FDIC-supervised institutions?
(2.) Are the provisions of the
proposed part 364 and the
accompanying appendices and
supplement to appendices sufficient to
provide consistent and effective safety
and soundness guidance and
information security standards? Please
substantiate your answer.
(3.) What impacts, positive or
negative, can you foresee in the FDIC’s
proposal to rescind part 391, subpart B?
E:\FR\FM\30JAP1.SGM
30JAP1
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
Written comments must be received
by the FDIC no later than March 31,
2015.
IV. Regulatory Analysis and Procedure
A. The Paperwork Reduction Act
In accordance with the requirements
of the Paperwork Reduction Act
(‘‘PRA’’) of 1995 (44 U.S.C. 3501–3521),
the FDIC may not conduct or sponsor,
and the respondent is not required to
respond to, an information collection
unless it displays a currently valid
Office of Management and Budget
(‘‘OMB’’) control number.
The Proposed Rule would rescind and
remove part 391, subpart B, from the
FDIC regulations. This rule was
transferred with only nominal changes
to the FDIC from the OTS when the OTS
was abolished by Title III of the DoddFrank Act. Part 391, subpart B, is largely
redundant of the FDIC’s existing part
364 regarding standards for safety and
soundness and subpart R of the FDIC’s
existing part 308 regarding the
submission and review of safety and
soundness compliance plans and
issuance of orders to correct safety and
soundness deficiencies.
The Proposed Rule would amend
parts 364 and subpart R of Part 308 to
include State savings associations
within the scope of those regulations.
This measure is to clarify that State
savings associations, as well as State
nonmember insured banks and foreign
banks having insured branches, are all
subject to part 364 and the provisions of
subpart R of part 308. Thus, these
provisions of the Proposed Rule will
neither create any new paperwork
information collections nor impact
current burden estimates. Based on the
above, no information collection request
has been submitted to the OMB for
review.
rljohnson on DSK4SPTVN1PROD with PROPOSALS
B. The Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA),
requires that, in connection with a
notice of proposed rulemaking, an
agency prepare and make available for
public comment an initial regulatory
flexibility analysis that describes the
impact of the proposed rule on small
entities (defined in regulations
promulgated by the Small Business
Administration to include banking
organizations with total assets of less
than or equal to $550 million).3
However, a regulatory flexibility
analysis is not required if the agency
certifies that the rule will not have a
significant economic impact on a
substantial number of small entities,
35
U.S.C. 601 et seq.
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
and publishes its certification and a
short explanatory statement in the
Federal Register together with the rule.
For the reasons provided below, the
FDIC certifies that the Proposed Rule, if
adopted in final form, would not have
a significant economic impact on a
substantial number of small entities.
Accordingly, a regulatory flexibility
analysis is not required.
As discussed in this notice of
proposed rulemaking, part 391, subpart
B was transferred from OTS’s part 570
which established safety and soundness
guidelines and the process for
requesting compliance plans and
issuing orders to correct deficiencies.
OTS’s part 570 had been in effect since
1995, and all state savings associations
were required to comply with it.
Because it is redundant of existing part
364 of the FDIC’s rules and subpart R of
part 308 of the FDIC’s rules, the FDIC
proposes rescinding and removing part
391, subpart B. As a result, all FDICsupervised institutions, including State
savings associations, would be required
to comply with part 364 and part 308,
subpart R. Because all State savings
associations have been required to
comply with substantially similar safety
and soundness guidelines and have
been subject to substantially similar
procedures for the filing of safety and
soundness compliance plans and orders
to correct deficiencies since 1995,
today’s Proposal would have no
significant economic impact on any
State savings association.
5055
D. The Economic Growth and
Regulatory Paperwork Reduction Act
Under Section 2222 of the Economic
Growth and Regulatory Paperwork
Reduction Act of 1996 (EGRPRA), the
FDIC is required to review all of its
regulations, at least once every 10 years,
in order to identify any outdated or
otherwise unnecessary regulations
imposed on insured institutions.4 The
FDIC completed the last comprehensive
review of its regulations under EGRPRA
in 2006 and is commencing the next
decennial review. The action taken on
this rule will be included as part of the
EGRPRA review that is currently under
way. As part of that review, the FDIC
invites comments concerning whether
the Proposed Rule would impose any
outdated or unnecessary regulatory
requirements on insured depository
institutions. If you provide such
comments, please be specific and
provide alternatives whenever
appropriate.
List of Subjects
12 CFR part 308
Banks, banking, Safety and soundness
compliance plans, Savings associations.
12 CFR part 364
Banks, banking, Safety and soundness
guidelines.
12 CFR part 391
Safety and soundness guidelines.
C. Plain Language
Authority and Issuance
Section 722 of the GLB Act, codified
at 12 U.S.C. 4809, requires each Federal
banking agency to use plain language in
all of its proposed and final rules
published after January 1, 2000. The
FDIC invites comments on whether the
Proposed Rule is clearly stated and
effectively organized, and how the FDIC
might make it easier to understand. For
example:
• Has the FDIC organized the material
to suit your needs? If not, how could it
present the rule more clearly?
• Have we clearly stated the
requirements of the rule? If not, how
could the rule be more clearly stated?
• Does the rule contain technical
jargon that is not clear? If so, which
language requires clarification?
• Would a different format (grouping
and order of sections, use of headings,
paragraphing) make the regulation
easier to understand? If so, what
changes would make the regulation
easier to understand?
• What else could we do to make the
regulation easier to understand?
For the reasons stated in the
preamble, the Board of Directors of the
Federal Deposit Insurance Corporation
proposes to amend parts 308, 364, and
391 of title 12 of the Code of Federal
Regulations as follows:
PO 00000
Frm 00004
Fmt 4702
Sfmt 4702
PART 308—RULES OF PRACTICE AND
PROCEDURE
1. The authority citation for part 308
continues to read as follows:
■
Authority: 5 U.S.C. 504, 554–557; 12
U.S.C. 93(b), 164, 505, 1815(e), 1817, 1818,
1820, 1828, 1829, 1829b, 1831i, 1831m(g)(4),
1831o, 1831p–1, 1832(c), 1884(b), 1972,
3102, 3108(a), 3349, 3909, 4717, 15 U.S.C.
78(h) and (i), 78o–4(c), 78o–5, 78q–1, 78s,
78u, 78u–2, 78u–3, and 78w, 6801(b),
6805(b)(1); 28 U.S.C. 2461 note; 31 U.S.C.
330, 5321; 42 U.S.C. 4012a; Sec. 3100(s), Pub.
L. 104–134, 110 Stat. 1321–358; and Pub. L.
109–351.
2. Revise subpart R of part 308 to read
as follows:
■
4 Public
E:\FR\FM\30JAP1.SGM
Law 104–208 (Sept. 30, 1996).
30JAP1
5056
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
Subpart R—Submission and Review of
Safety and Soundness Compliance Plans
and Issuance of Orders To Correct Safety
and Soundness Deficiencies
Sec.
308.300 Scope.
308.301 Purpose.
308.302 Determination and notification of
failure to meet a safety and soundness
standard and request for compliance
plan.
308.303 Filing of safety and soundness
compliance plan.
308.304 Issuance of orders to correct
deficiencies and to take or refrain from
taking other actions.
308.305 Enforcement of orders.
§ 308.300
Scope.
The rules and procedures set forth in
this subpart apply to insured state
nonmember banks, to state-licensed
insured branches of foreign banks, that
are subject to the provisions of section
39 of the Federal Deposit Insurance Act
(section 39) (12 U.S.C. 1831p–1), and to
state savings associations (in aggregate,
bank or banks and state savings
association or state savings
associations).
§ 308.301
Purpose.
Section 39 of the FDI Act requires the
FDIC to establish safety and soundness
standards. Pursuant to section 39, a
bank or savings association may be
required to submit a compliance plan if
it is not in compliance with a safety and
soundness standard established by
guideline under section 39(a) or (b). An
enforceable order under section 8 of the
FDI Act may be issued if, after being
notified that it is in violation of a safety
and soundness standard established
under section 39, the bank or savings
association fails to submit an acceptable
compliance plan or fails in any material
respect to implement an accepted plan.
This subpart establishes procedures for
requiring submission of a compliance
plan and issuing an enforceable order
pursuant to section 39.
rljohnson on DSK4SPTVN1PROD with PROPOSALS
§ 308.302 Determination and notification of
failure to meet a safety and soundness
standard and request for compliance plan.
(a) Determination. The FDIC may,
based upon an examination, inspection
or any other information that becomes
available to the FDIC, determine that a
bank or state savings association has
failed to satisfy the safety and
soundness standards set out in part 364
of this chapter and in the Interagency
Guidelines Establishing Standards for
Safety and Soundness in appendix A
and the Interagency Guidelines
Establishing Information Security
Standards in appendix B to part 364 of
this chapter.
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
(b) Request for compliance plan. If the
FDIC determines that a bank or state
savings association has failed a safety
and soundness standard pursuant to
paragraph (a) of this section, the FDIC
may request, by letter or through a
report of examination, the submission of
a compliance plan and the bank or state
savings association shall be deemed to
have notice of the request three days
after mailing of the letter by the FDIC or
delivery of the report of examination.
§ 308.303 Filing of safety and soundness
compliance plan.
(a) Schedule for filing compliance
plan—(1) In general. A bank or state
savings association shall file a written
safety and soundness compliance plan
with the FDIC within 30 days of
receiving a request for a compliance
plan pursuant to § 308.302(b), unless the
FDIC notifies the bank or state savings
association in writing that the plan is to
be filed within a different period.
(2) Other plans. If a bank or state
savings association is obligated to file,
or is currently operating under, a capital
restoration plan submitted pursuant to
section 38 of the FDI Act (12 U.S.C.
1831o), a cease-and-desist order entered
into pursuant to section 8 of the FDI
Act, a formal or informal agreement, or
a response to a report of examination or
report of inspection, it may, with the
permission of the FDIC, submit a
compliance plan under this section as
part of that plan, order, agreement, or
response, subject to the deadline
provided in paragraph (a)(1) of this
section.
(b) Contents of plan. The compliance
plan shall include a description of the
steps the bank or state savings
association will take to correct the
deficiency and the time within which
those steps will be taken.
(c) Review of safety and soundness
compliance plans. Within 30 days after
receiving a safety and soundness
compliance plan under this subpart, the
FDIC shall provide written notice to the
bank or state savings association of
whether the plan has been approved or
seek additional information from the
bank or state savings association
regarding the plan. The FDIC may
extend the time within which notice
regarding approval of a plan will be
provided.
(d) Failure to submit or implement a
compliance plan—(1) Supervisory
actions. If a bank or state savings
association fails to submit an acceptable
plan within the time specified by the
FDIC or fails in any material respect to
implement a compliance plan, then the
FDIC shall, by order, require the bank or
state savings association to correct the
PO 00000
Frm 00005
Fmt 4702
Sfmt 4702
deficiency and may take further actions
provided in section 39(e)(2)(B).
Pursuant to section 39(e)(3), the FDIC
may be required to take certain actions
if the bank or state savings association
commenced operations or experienced a
change in control within the previous
24-month period, or the bank or state
savings association experienced
extraordinary growth during the
previous 18-month period.
(2) Extraordinary growth. For
purposes of paragraph (d)(1) of this
section, extraordinary growth means an
increase in assets of more than 7.5
percent during any quarter within the
18-month period preceding the issuance
of a request for submission of a
compliance plan, by a bank or state
savings association that is not well
capitalized for purposes of section 38 of
the FDI Act. For purposes of calculating
an increase in assets, assets acquired
through merger or acquisition approved
pursuant to the Bank Merger Act (12
U.S.C. 1828(c)) will be excluded.
(e) Amendment of compliance plan. A
bank or state savings association that
has filed an approved compliance plan
may, after prior written notice to and
approval by the FDIC, amend the plan
to reflect a change in circumstance.
Until such time as a proposed
amendment has been approved, the
bank or state savings association shall
implement the compliance plan as
previously approved.
§ 308.304 Issuance of orders to correct
deficiencies and to take or refrain from
taking other actions.
(a) Notice of intent to issue order—(1)
In general. The FDIC shall provide a
bank or state savings association prior
written notice of the FDIC’s intention to
issue an order requiring the bank or
state savings association to correct a
safety and soundness deficiency or to
take or refrain from taking other actions
pursuant to section 39 of the FDI Act.
The bank or state savings association
shall have such time to respond to a
proposed order as provided by the FDIC
under paragraph (c) of this section.
(2) Immediate issuance of final order.
If the FDIC finds it necessary in order
to carry out the purposes of section 39
of the FDI Act, the FDIC may, without
providing the notice prescribed in
paragraph (a)(1) of this section, issue an
order requiring a bank or state savings
association immediately to take actions
to correct a safety and soundness
deficiency or take or refrain from taking
other actions pursuant to section 39. A
bank or state savings association that is
subject to such an immediately effective
order may submit a written appeal of
the order to the FDIC. Such an appeal
E:\FR\FM\30JAP1.SGM
30JAP1
rljohnson on DSK4SPTVN1PROD with PROPOSALS
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
must be received by the FDIC within 14
calendar days of the issuance of the
order, unless the FDIC permits a longer
period. The FDIC shall consider any
such appeal, if filed in a timely matter,
within 60 days of receiving the appeal.
During such period of review, the order
shall remain in effect unless the FDIC,
in its sole discretion, stays the
effectiveness of the order.
(b) Contents of notice. A notice of
intent to issue an order shall include:
(1) A statement of the safety and
soundness deficiency or deficiencies
that have been identified at the bank or
state savings association;
(2) A description of any restrictions,
prohibitions, or affirmative actions that
the FDIC proposes to impose or require;
(3) The proposed date when such
restrictions or prohibitions would be
effective or the proposed date for
completion of any required action; and
(4) The date by which the bank or
state savings association subject to the
order may file with the FDIC a written
response to the notice.
(c) Response to notice—(1) Time for
response. A bank or state savings
association may file a written response
to a notice of intent to issue an order
within the time period set by the FDIC.
Such a response must be received by the
FDIC within 14 calendar days from the
date of the notice unless the FDIC
determines that a different period is
appropriate in light of the safety and
soundness of the bank or state savings
association or other relevant
circumstances.
(2) Contents of response. The
response should include:
(i) An explanation why the action
proposed by the FDIC is not an
appropriate exercise of discretion under
section 39;
(ii) Any recommended modification
of the proposed order; and
(iii) Any other relevant information,
mitigating circumstances,
documentation, or other evidence in
support of the position of the bank or
state savings association regarding the
proposed order.
(d) Agency consideration of response.
After considering the response, the FDIC
may:
(1) Issue the order as proposed or in
modified form;
(2) Determine not to issue the order
and so notify the bank or state savings
association; or
(3) Seek additional information or
clarification of the response from the
bank or state savings association, or any
other relevant source.
(e) Failure to file response. Failure by
a bank or state savings association to file
with the FDIC, within the specified time
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
period, a written response to a proposed
order shall constitute a waiver of the
opportunity to respond and shall
constitute consent to the issuance of the
order.
(f) Request for modification of
rescission of order. Any bank or state
savings association that is subject to an
order under this subpart may, upon a
change in circumstances, request in
writing that the FDIC reconsider the
terms of the order, and may propose that
the order be rescinded or modified.
Unless otherwise ordered by the FDIC,
the order shall continue in place while
such request is pending before the FDIC.
§ 308.305
Enforcement of orders.
(a) Judicial remedies. Whenever a
bank or state savings association fails to
comply with an order issued under
section 39, the FDIC may seek
enforcement of the order in the
appropriate United States district court
pursuant to section 8(i)(1) of the FDI
Act.
(b) Failure to comply with order.
Pursuant to section 8(i)(2)(A) of the FDI
Act, the FDIC may assess a civil money
penalty against any bank or state savings
association that violates or otherwise
fails to comply with any final order
issued under section 39 and against any
institution-affiliated party who
participates in such violation or
noncompliance.
(c) Other enforcement action. In
addition to the actions described in
paragraphs (a) and (b) of this section,
the FDIC may seek enforcement of the
provisions of section 39 or this part
through any other judicial or
administrative proceeding authorized by
law.
■ 3. Revise part 364 to read as follows:
PART 364—STANDARDS FOR SAFETY
AND SOUNDNESS
Sec.
364.100 Purpose.
364.101 Standards for safety and
soundness.
Appendix A to Part 364—Interagency
Guidelines Establishing Standards for
Safety and Soundness
Appendix B to Part 364—Interagency
Guidelines Establishing Information
Security Standards
Authority: 12 U.S.C. 1818 and 1819
(Tenth), 1831p–1; 15 U.S.C. 1681b, 1681s,
1681w, 6801(b), 6805(b)(1).
§ 364.100
Purpose.
Section 39 of the Federal Deposit
Insurance Act requires the Federal
Deposit Insurance Corporation to
establish safety and soundness
standards. Pursuant to section 39, this
part establishes safety and soundness
standards by guideline.
PO 00000
Frm 00006
Fmt 4702
Sfmt 4702
5057
§ 364.101 Standards for safety and
soundness.
(a) General standards. The
Interagency Guidelines Establishing
Standards for Safety and Soundness
prescribed pursuant to section 39 of the
Federal Deposit Insurance Act (12
U.S.C. 1831p–1), as set forth as
appendix A to this part, apply to all
insured state nonmember banks, to
state-licensed insured branches of
foreign banks, that are subject to the
provisions of section 39 of the Federal
Deposit Insurance Act, and to state
savings associations (in aggregate, bank
or banks and savings association or
savings associations).
(b) Interagency Guidelines
Establishing Information Security
Standards. The Interagency Guidelines
Establishing Information Security
Standards prescribed pursuant to
section 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1831p–1), and
sections 501 and 505(b) of the GrammLeach-Bliley Act (15 U.S.C. 6801,
6805(b)), and with respect to the proper
disposal of consumer information
requirements pursuant to section 628 of
the Fair Credit Reporting Act (15 U.S.C.
1681w), as set forth in appendix B to
this part, apply to all insured state
nonmember banks, insured state
licensed branches of foreign banks, any
subsidiaries of such entities (except
brokers, dealers, persons providing
insurance, investment companies, and
investment advisers), and to state
savings associations. The interagency
regulations and guidelines on identity
theft detection, prevention, and
mitigation prescribed pursuant to
section 114 of the Fair and Accurate
Credit Transactions Act of 2003, 15
U.S.C. 1681m(e), are set forth in
§§ 334.90, 334.91, and Appendix J of
part 334.
Appendix A to Part 364—Interagency
Guidelines Establishing Standards for
Safety and Soundness
Table of Contents
I. Introduction.
A. Preservation of existing authority.
B. Definitions.
II. Operational and Managerial Standards.
A. Internal controls and information
systems.
B. Internal audit system.
C. Loan documentation.
D. Credit underwriting.
E. Interest rate exposure.
F. Asset growth.
G. Asset quality.
H. Earnings.
I. Compensation, fees and benefits.
III. Prohibition on Compensation That
Constitutes an Unsafe and Unsound
Practice.
A. Excessive compensation.
E:\FR\FM\30JAP1.SGM
30JAP1
5058
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
rljohnson on DSK4SPTVN1PROD with PROPOSALS
B. Compensation leading to material
financial loss.
I. Introduction
i. Section 39 of the Federal Deposit
Insurance Act1 (FDI Act) requires each
Federal banking agency (collectively, the
agencies) to establish certain safety and
soundness standards by regulation or by
guidelines for all insured depository
institutions. Under section 39, the agencies
must establish three types of standards: (1)
Operational and managerial standards; (2)
compensation standards; and (3) such
standards relating to asset quality, earnings,
and stock valuation as they determine to be
appropriate.
ii. Section 39(a) requires the agencies to
establish operational and managerial
standards relating to: (1) Internal controls,
information systems and internal audit
systems, in accordance with section 36 of the
FDI Act (12 U.S.C. 1831m); (2) loan
documentation; (3) credit underwriting; (4)
interest rate exposure; (5) asset growth; and
(6) compensation, fees, and benefits, in
accordance with subsection (c) of section 39.
Section 39(b) requires the agencies to
establish standards relating to asset quality,
earnings, and stock valuation that the
agencies determine to be appropriate.
iii. Section 39(c) requires the agencies to
establish standards prohibiting as an unsafe
and unsound practice any compensatory
arrangement that would provide any
executive officer, employee, director, or
principal shareholder of the institution with
excessive compensation, fees or benefits and
any compensatory arrangement that could
lead to material financial loss to an
institution. Section 39(c) also requires that
the agencies establish standards that specify
when compensation is excessive.
iv. If an agency determines that an
institution fails to meet any standard
established by guidelines under subsection
(a) or (b) of section 39, the agency may
require the institution to submit to the
agency an acceptable plan to achieve
compliance with the standard. In the event
that an institution fails to submit an
acceptable plan within the time allowed by
the agency or fails in any material respect to
implement an accepted plan, the agency
must, by order, require the institution to
correct the deficiency. The agency may, and
in some cases must, take other supervisory
actions until the deficiency has been
corrected.
v. The agencies have adopted amendments
to their rules and regulations to establish
deadlines for submission and review of
compliance plans.2
vi. The following Guidelines set out the
safety and soundness standards that the
agencies use to identify and address
problems at insured depository institutions
before capital becomes impaired. The
agencies believe that the standards adopted
in these Guidelines serve this end without
dictating how institutions must be managed
and operated. These standards are designed
to identify potential safety and soundness
concerns and ensure that action is taken to
address those concerns before they pose a
risk to the Deposit Insurance Fund.
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
A. Preservation of Existing Authority
Neither section 39 nor these Guidelines in
any way limits the authority of the agencies
to address unsafe or unsound practices,
violations of law, unsafe or unsound
conditions, or other practices. Action under
section 39 and these Guidelines may be taken
independently of, in conjunction with, or in
addition to any other enforcement action
available to the agencies. Nothing in these
Guidelines limits the authority of the FDIC
pursuant to section 38(i)(2)(F) of the FDI Act
(12 U.S.C. 1831(o)) and Part 325 of Title 12
of the Code of Federal Regulations.
B. Definitions
1. In general. For purposes of these
Guidelines, except as modified in the
Guidelines or unless the context otherwise
requires, the terms used have the same
meanings as set forth in sections 3 and 39 of
the FDI Act (12 U.S.C. 1813 and 1831p–1).
2. Board of directors, in the case of a statelicensed insured branch of a foreign bank and
in the case of a federal branch of a foreign
bank, means the managing official in charge
of the insured foreign branch.
3. Compensation means all direct and
indirect payments or benefits, both cash and
non-cash, granted to or for the benefit of any
executive officer, employee, director, or
principal shareholder, including but not
limited to payments or benefits derived from
an employment contract, compensation or
benefit agreement, fee arrangement,
perquisite, stock option plan,
postemployment benefit, or other
compensatory arrangement.
4. Director shall have the meaning
described in 12 CFR 215.2(d).3
5. Executive officer shall have the meaning
described in 12 CFR 215.2(e).4
6. Principal shareholder shall have the
meaning described in 12 CFR 215.2(m).5
II. Operational and Managerial Standards
A. Internal controls and information
systems. An institution should have internal
controls and information systems that are
appropriate to the size of the institution and
the nature, scope and risk of its activities and
that provide for:
1. An organizational structure that
establishes clear lines of authority and
responsibility for monitoring adherence to
established policies;
2. Effective risk assessment;
3. Timely and accurate financial,
operational and regulatory reports;
4. Adequate procedures to safeguard and
manage assets; and
5. Compliance with applicable laws and
regulations.
B. Internal audit system. An institution
should have an internal audit system that is
appropriate to the size of the institution and
the nature and scope of its activities and that
provides for:
1. Adequate monitoring of the system of
internal controls through an internal audit
function. For an institution whose size,
complexity or scope of operations does not
warrant a full scale internal audit function,
a system of independent reviews of key
internal controls may be used;
2. Independence and objectivity;
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
3. Qualified persons;
4. Adequate testing and review of
information systems;
5. Adequate documentation of tests and
findings and any corrective actions;
6. Verification and review of management
actions to address material weaknesses; and
7. Review by the institution’s audit
committee or board of directors of the
effectiveness of the internal audit systems.
C. Loan documentation. An institution
should establish and maintain loan
documentation practices that:
1. Enable the institution to make an
informed lending decision and to assess risk,
as necessary, on an ongoing basis;
2. Identify the purpose of a loan and the
source of repayment, and assess the ability of
the borrower to repay the indebtedness in a
timely manner;
3. Ensure that any claim against a borrower
is legally enforceable;
4. Demonstrate appropriate administration
and monitoring of a loan; and
5. Take account of the size and complexity
of a loan.
D. Credit underwriting. An institution
should establish and maintain prudent credit
underwriting practices that:
1. Are commensurate with the types of
loans the institution will make and consider
the terms and conditions under which they
will be made;
2. Consider the nature of the markets in
which loans will be made;
3. Provide for consideration, prior to credit
commitment, of the borrower’s overall
financial condition and resources, the
financial responsibility of any guarantor, the
nature and value of any underlying collateral,
and the borrower’s character and willingness
to repay as agreed;
4. Establish a system of independent,
ongoing credit review and appropriate
communication to management and to the
board of directors;
5. Take adequate account of concentration
of credit risk; and
6. Are appropriate to the size of the
institution and the nature and scope of its
activities.
E. Interest rate exposure. An institution
should:
1. Manage interest rate risk in a manner
that is appropriate to the size of the
institution and the complexity of its assets
and liabilities; and
2. Provide for periodic reporting to
management and the board of directors
regarding interest rate risk with adequate
information for management and the board of
directors to assess the level of risk.
F. Asset growth. An institution’s asset
growth should be prudent and consider:
1. The source, volatility and use of the
funds that support asset growth;
2. Any increase in credit risk or interest
rate risk as a result of growth; and
3. The effect of growth on the institution’s
capital.
G. Asset quality. An insured depository
institution should establish and maintain a
system that is commensurate with the
institution’s size and the nature and scope of
its operations to identify problem assets and
prevent deterioration in those assets. The
institution should:
E:\FR\FM\30JAP1.SGM
30JAP1
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
rljohnson on DSK4SPTVN1PROD with PROPOSALS
1. Conduct periodic asset quality reviews
to identify problem assets;
2. Estimate the inherent losses in those
assets and establish reserves that are
sufficient to absorb estimated losses;
3. Compare problem asset totals to capital;
4. Take appropriate corrective action to
resolve problem assets;
5. Consider the size and potential risks of
material asset concentrations; and
6. Provide periodic asset reports with
adequate information for management and
the board of directors to assess the level of
asset risk.
H. Earnings. An insured depository
institution should establish and maintain a
system that is commensurate with the
institution’s size and the nature and scope of
its operations to evaluate and monitor
earnings and ensure that earnings are
sufficient to maintain adequate capital and
reserves. The institution should:
1. Compare recent earnings trends relative
to equity, assets, or other commonly used
benchmarks to the institution’s historical
results and those of its peers;
2. Evaluate the adequacy of earnings given
the size, complexity, and risk profile of the
institution’s assets and operations;
3. Assess the source, volatility, and
sustainability of earnings, including the
effect of nonrecurring or extraordinary
income or expense;
4. Take steps to ensure that earnings are
sufficient to maintain adequate capital and
reserves after considering the institution’s
asset quality and growth rate; and
5. Provide periodic earnings reports with
adequate information for management and
the board of directors to assess earnings
performance.
I. Compensation, fees and benefits. An
institution should maintain safeguards to
prevent the payment of compensation, fees,
and benefits that are excessive or that could
lead to material financial loss to the
institution.
III. Prohibition on Compensation That
Constitutes an Unsafe and Unsound Practice
A. Excessive Compensation
Excessive compensation is prohibited as an
unsafe and unsound practice. Compensation
shall be considered excessive when amounts
paid are unreasonable or disproportionate to
the services performed by an executive
officer, employee, director, or principal
shareholder, considering the following:
1. The combined value of all cash and
noncash benefits provided to the individual;
2. The compensation history of the
individual and other individuals with
comparable expertise at the institution;
3. The financial condition of the
institution;
4. Comparable compensation practices at
comparable institutions, based upon such
factors as asset size, geographic location, and
the complexity of the loan portfolio or other
assets;
5. For postemployment benefits, the
projected total cost and benefit to the
institution;
6. Any connection between the individual
and any fraudulent act or omission, breach of
trust or fiduciary duty, or insider abuse with
regard to the institution; and
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
7. Any other factors the agencies determine
to be relevant.
B. Compensation Leading to Material
Financial Loss
Compensation that could lead to material
financial loss to an institution is prohibited
as an unsafe and unsound practice.
1 Section 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1831p–1) was added
by section 132 of the Federal Deposit
Insurance Corporation Improvement Act of
1991 (FDICIA), Pub. L. 102–242, 105 Stat.
2236 (1991), and amended by section 956 of
the Housing and Community Development
Act of 1992, Pub. L. 102–550, 106 Stat. 3895
(1992) and section 318 of the Riegle
Community Development and Regulatory
Improvement Act of 1994, Pub. L. 103–325,
108 Stat. 2160 (1994).
2 For the Office of the Comptroller of the
Currency, these regulations appear at 12 CFR
part 30; for the Board of Governors of the
Federal Reserve System, these regulations
appear at 12 CFR part 263; and for the
Federal Deposit Insurance Corporation, these
regulations appear at 12 CFR part 308,
subpart R.
3 In applying these definitions for savings
associations, pursuant to 12 U.S.C. 1464,
savings associations shall use the terms
‘‘savings association’’ and ‘‘insured savings
association’’ in place of the terms ‘‘member
bank’’ and ‘‘insured bank’’.
4 See footnote 3 in section I.B.4. of this
appendix.
5 See footnote 3 in section I.B.4. of this
appendix.
Appendix B to Part 364—Interagency
Guidelines Establishing Information
Security Standards
Table of Contents
I. Introduction
A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer
Information
A. Information Security Program
B. Objectives
III. Development and Implementation of
Customer Information Security Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
I. Introduction
The Interagency Guidelines Establishing
Information Security Standards (Guidelines)
set forth standards pursuant to section 39 of
the Federal Deposit Insurance Act, 12 U.S.C.
1831p–1, and sections 501 and 505(b), 15
U.S.C. 6801 and 6805(b), of the GrammLeach-Bliley Act. These Guidelines address
standards for developing and implementing
administrative, technical, and physical
safeguards to protect the security,
confidentiality, and integrity of customer
information. These Guidelines also address
standards with respect to the proper disposal
of consumer information pursuant to sections
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
5059
621 and 628 of the Fair Credit Reporting Act
(15 U.S.C. 1681s and 1681w).
A. Scope. The Guidelines apply to
customer information maintained by or on
behalf of, and to the disposal of consumer
information by or on the behalf of, entities
over which the Federal Deposit Insurance
Corporation (FDIC) has authority. Such
entities, referred to as ‘‘insured depository
institution’’ or ‘‘institution’’ are banks
insured by the FDIC (other than members of
the Federal Reserve System), state savings
associations insured by the FDIC, insured
state branches of foreign banks, and any
subsidiaries of such entities (except brokers,
dealers, persons providing insurance,
investment companies, and investment
advisers).
B. Preservation of Existing Authority.
Neither section 39 nor these Guidelines in
any way limit the authority of the FDIC to
address unsafe or unsound practices,
violations of law, unsafe or unsound
conditions, or other practices. The FDIC may
take action under section 39 and these
Guidelines independently of, in conjunction
with, or in addition to, any other
enforcement action available to the FDIC.
C. Definitions. 1. Except as modified in the
Guidelines, or unless the context otherwise
requires, the terms used in these Guidelines
have the same meanings as set forth in
sections 3 and 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1813 and 1831p–1).
2. For purposes of the Guidelines, the
following definitions apply:
a. Board of directors, in the case of a
branch or agency of a foreign bank, means the
managing official in charge of the branch or
agency.
b. Consumer Information means any record
about an individual, whether in paper,
electronic, or other form, that is a consumer
report or is derived from a consumer report
and that is maintained or otherwise
possessed by or on behalf of the institution
for a business purpose. Consumer
information also means a compilation of such
records. The term does not include any
record that does not personally identify an
individual.
i. Examples: (1) Consumer information
includes:
(A) A consumer report that an institution
obtains;
(B) information from a consumer report
that the institution obtains from its affiliate
after the consumer has been given a notice
and has elected not to opt out of that sharing;
(C) information from a consumer report
that the institution obtains about an
individual who applies for but does not
receive a loan, including any loan sought by
an individual for a business purpose;
(D) information from a consumer report
that the institution obtains about an
individual who guarantees a loan (including
a loan to a business entity); or
(E) information from a consumer report
that the institution obtains about an
employee or prospective employee.
(2) Consumer information does not
include:
(A) Aggregate information, such as the
mean score, derived from a group of
consumer reports; or
E:\FR\FM\30JAP1.SGM
30JAP1
5060
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
(B) blind data, such as payment history on
accounts that are not personally identifiable,
that may be used for developing credit
scoring models or for other purposes.
c. Consumer report has the same meaning
as set forth in the Fair Credit Reporting Act,
15 U.S.C. 1681a(d).
d. Customer means any customer of the
institution as defined in § 332.3(h) of this
chapter.
e. Customer information means any record
containing nonpublic personal information,
as defined in § 332.3(n) of this chapter, about
a customer, whether in paper, electronic, or
other form, that is maintained by or on behalf
of the institution.
f. Customer information systems means
any methods used to access, collect, store,
use, transmit, protect, or dispose of customer
information.
g. Service provider means any person or
entity that maintains, processes, or otherwise
is permitted access to customer information
or consumer information through its
provision of services directly to the
institution.
rljohnson on DSK4SPTVN1PROD with PROPOSALS
II. Standards for Information Security
A. Information Security Program. Each
insured depository institution shall
implement a comprehensive written
information security program that includes
administrative, technical, and physical
safeguards appropriate to the size and
complexity of the institution and the nature
and scope of its activities. While all parts of
the institution are not required to implement
a uniform set of policies, all elements of the
information security program must be
coordinated.
B. Objectives. An institution’s information
security program shall be designed to:
1. Ensure the security and confidentiality
of customer information;
2. Protect against any anticipated threats or
hazards to the security or integrity of such
information;
3. Protect against unauthorized access to or
use of such information that could result in
substantial harm or inconvenience to any
customer; and
4. Ensure the proper disposal of customer
information and consumer information.
III. Development and Implementation of
Information Security Program
A. Involve the Board of Directors. The
board of directors or an appropriate
committee of the board of each insured
depository institution shall:
1. Approve the institution’s written
information security program; and
2. Oversee the development,
implementation, and maintenance of the
institution’s information security program,
including assigning specific responsibility for
its implementation and reviewing reports
from management.
B. Assess Risk.
Each institution shall:
1. Identify reasonably foreseeable internal
and external threats that could result in
unauthorized disclosure, misuse, alteration,
or destruction of customer information or
customer information systems.
2. Assess the likelihood and potential
damage of these threats, taking into
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
consideration the sensitivity of customer
information.
3. Assess the sufficiency of policies,
procedures, customer information systems,
and other arrangements in place to control
risks.
C. Manage and Control Risk. Each
institution shall:
1. Design its information security program
to control the identified risks, commensurate
with the sensitivity of the information as well
as the complexity and scope of the
institution’s activities. Each institution must
consider whether the following security
measures are appropriate for the institution
and, if so, adopt those measures the
institution concludes are appropriate:
a. Access controls on customer information
systems, including controls to authenticate
and permit access only to authorized
individuals and controls to prevent
employees from providing customer
information to unauthorized individuals who
may seek to obtain this information through
fraudulent means.
b. Access restrictions at physical locations
containing customer information, such as
buildings, computer facilities, and records
storage facilities to permit access only to
authorized individuals;
c. Encryption of electronic customer
information, including while in transit or in
storage on networks or systems to which
unauthorized individuals may have access;
d. Procedures designed to ensure that
customer information system modifications
are consistent with the institution’s
information security program;
e. Dual control procedures, segregation of
duties, and employee background checks for
employees with responsibilities for or access
to customer information;
f. Monitoring systems and procedures to
detect actual and attempted attacks on or
intrusions into customer information
systems;
g. Response programs that specify actions
to be taken when the institution suspects or
detects that unauthorized individuals have
gained access to customer information
systems, including appropriate reports to
regulatory and law enforcement agencies;
and
h. Measures to protect against destruction,
loss, or damage of customer information due
to potential environmental hazards, such as
fire and water damage or technological
failures.
2. Train staff to implement the institution’s
information security program.
3. Regularly test the key controls, systems
and procedures of the information security
program. The frequency and nature of such
tests should be determined by the
institution’s risk assessment. Tests should be
conducted or reviewed by independent third
parties or staff independent of those that
develop or maintain the security programs.
4. Develop, implement, and maintain, as
part of its information security program,
appropriate measures to properly dispose of
customer information and consumer
information in accordance with each of the
requirements of this paragraph III.
D. Oversee Service Provider Arrangements.
Each institution shall:
PO 00000
Frm 00009
Fmt 4702
Sfmt 4702
1. Exercise appropriate due diligence in
selecting its service providers;
2. Require its service providers by contract
to implement appropriate measures designed
to meet the objectives of these Guidelines;
and
3. Where indicated by the institution’s risk
assessment, monitor its service providers to
confirm that they have satisfied their
obligations as required by paragraph D.2. As
part of this monitoring, an institution should
review audits, summaries of test results, or
other equivalent evaluations of its service
providers.
E. Adjust the Program. Each institution
shall monitor, evaluate, and adjust, as
appropriate, the information security
program in light of any relevant changes in
technology, the sensitivity of its customer
information, internal or external threats to
information, and the institution’s own
changing business arrangements, such as
mergers and acquisitions, alliances and joint
ventures, outsourcing arrangements, and
changes to customer information systems.
F. Report to the Board. Each institution
shall report to its board or an appropriate
committee of the board at least annually.
This report should describe the overall status
of the information security program and the
institution’s compliance with these
Guidelines. The report, which will vary
depending upon the complexity of each
institution’s program should discuss material
matters related to its program, addressing
issues such as: Risk assessment; risk
management and control decisions; service
provider arrangements; results of testing;
security breaches or violations, and
management’s responses; and
recommendations for changes in the
information security program.
G. Implement the Standards. 1. Effective
date. Each institution must implement an
information security program pursuant to
these Guidelines by July 1, 2001.
2. Two-year grandfathering of agreements
with service providers. Until July 1, 2003, a
contract that an institution has entered into
with a service provider to perform services
for it or functions on its behalf, satisfies the
provisions of paragraph III.D., even if the
contract does not include a requirement that
the servicer maintain the security and
confidentiality of customer information as
long as the institution entered into the
contract on or before March 5, 2001.
3. Effective date for measures relating to
the disposal of consumer information. Each
institution must satisfy these Guidelines with
respect to the proper disposal of consumer
information by July 1, 2005.
4. Exception for existing agreements with
service providers relating to the disposal of
consumer information. Notwithstanding the
requirement in paragraph III.G.3., an
institution’s contracts with its service
providers that have access to consumer
information and that may dispose of
consumer information, entered into before
July 1, 2005, must comply with the
provisions of the Guidelines relating to the
proper disposal of consumer information by
July 1, 2006.
E:\FR\FM\30JAP1.SGM
30JAP1
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
rljohnson on DSK4SPTVN1PROD with PROPOSALS
Supplement A to Appendix B to Part 364
Interagency Guidance on Response
Programs for Unauthorized Access to
Customer Information and Customer Notice
I. Background
This Guidance 1 interprets section 501(b) of
the Gramm-Leach-Bliley Act (GLBA) and the
Interagency Guidelines Establishing
Information Security Standards (the Security
Guidelines) 2 and describes response
programs, including customer notification
procedures, that a financial institution
should develop and implement to address
unauthorized access to or use of customer
information that could result in substantial
harm or inconvenience to a customer. The
scope of, and definitions of terms used in,
this Guidance are identical to those of the
Security Guidelines. For example, the term
‘‘customer information’’ is the same term
used in the Security Guidelines, and means
any record containing nonpublic personal
information about a customer, whether in
paper, electronic, or other form, maintained
by or on behalf of the institution.
A. Interagency Security Guidelines
Section 501(b) of the GLBA required the
Agencies to establish appropriate standards
for financial institutions subject to their
jurisdiction that include administrative,
technical, and physical safeguards, to protect
the security and confidentiality of customer
information. Accordingly, the Agencies
issued Security Guidelines requiring every
financial institution to have an information
security program designed to:
1. Ensure the security and confidentiality
of customer information;
2. Protect against any anticipated threats or
hazards to the security or integrity of such
information; and
3. Protect against unauthorized access to or
use of such information that could result in
substantial harm or inconvenience to any
customer.
B. Risk Assessment and Controls
1. The Security Guidelines direct every
financial institution to assess the following
risks, among others, when developing its
information security program:
a. Reasonably foreseeable internal and
external threats that could result in
unauthorized disclosure, misuse, alteration,
or destruction of customer information or
customer information systems;
b. The likelihood and potential damage of
threats, taking into consideration the
sensitivity of customer information; and
c. The sufficiency of policies, procedures,
customer information systems, and other
arrangements in place to control risks.3
2. Following the assessment of these risks,
the Security Guidelines require a financial
institution to design a program to address the
identified risks. The particular security
measures an institution should adopt will
depend upon the risks presented by the
complexity and scope of its business. At a
minimum, the financial institution is
required to consider the specific security
measures enumerated in the Security
Guidelines,4 and adopt those that are
appropriate for the institution, including:
a. Access controls on customer information
systems, including controls to authenticate
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
and permit access only to authorized
individuals and controls to prevent
employees from providing customer
information to unauthorized individuals who
may seek to obtain this information through
fraudulent means;
b. Background checks for employees with
responsibilities for access to customer
information; and
c. Response programs that specify actions
to be taken when the financial institution
suspects or detects that unauthorized
individuals have gained access to customer
information systems, including appropriate
reports to regulatory and law enforcement
agencies.5
C. Service Providers
The Security Guidelines direct every
financial institution to require its service
providers by contract to implement
appropriate measures designed to protect
against unauthorized access to or use of
customer information that could result in
substantial harm or inconvenience to any
customers.6
II. Response Program
Millions of Americans, throughout the
country, have been victims of identity theft.7
Identity thieves misuse personal information
they obtain from a number of sources,
including financial institutions, to perpetrate
identity theft. Therefore, financial
institutions should take preventative
measures to safeguard customer information
against attempts to gain unauthorized access
to the information. For example, financial
institutions should place access controls on
customer information systems and conduct
background checks for employees who are
authorized to access customer information.8
However, every financial institution should
also develop and implement a risk-based
response program to address incidents of
unauthorized access to customer information
in customer information systems 9 that occur
nonetheless. A response program should be
a key part of an institution’s information
security program.10 The program should be
appropriate to the size and complexity of the
institution and the nature and scope of its
activities.
In addition, each institution should be able
to address incidents of unauthorized access
to customer information in customer
information systems maintained by its
domestic and foreign service providers.
Therefore, consistent with the obligations in
the Guidelines that relate to these
arrangements, and with existing guidance on
this topic issued by the Agencies,11 an
institution’s contract with its service
provider should require the service provider
to take appropriate actions to address
incidents of unauthorized access to the
financial institution’s customer information,
including notification to the institution as
soon as possible of any such incident, to
enable the institution to expeditiously
implement its response program.
A. Components of a Response Program
1. At a minimum, an institution’s response
program should contain procedures for the
following:
a. Assessing the nature and scope of an
incident, and identifying what customer
PO 00000
Frm 00010
Fmt 4702
Sfmt 4702
5061
information systems and types of customer
information have been accessed or misused;
b. Notifying its primary Federal regulator
as soon as possible when the institution
becomes aware of an incident involving
unauthorized access to or use of sensitive
customer information, as defined below;
c. Consistent with the Agencies’
Suspicious Activity Report (‘‘SAR’’)
regulations,12 notifying appropriate law
enforcement authorities, in addition to filing
a timely SAR in situations involving Federal
criminal violations requiring immediate
attention, such as when a reportable violation
is ongoing;
d. Taking appropriate steps to contain and
control the incident to prevent further
unauthorized access to or use of customer
information, for example, by monitoring,
freezing, or closing affected accounts, while
preserving records and other evidence;13 and
e. Notifying customers when warranted.
2. Where an incident of unauthorized
access to customer information involves
customer information systems maintained by
an institution’s service providers, it is the
responsibility of the financial institution to
notify the institution’s customers and
regulator. However, an institution may
authorize or contract with its service
provider to notify the institutions’ customers
or regulator on its behalf.
III. Customer Notice
Financial institutions have an affirmative
duty to protect their customers’ information
against unauthorized access or use. Notifying
customers of a security incident involving
the unauthorized access or use of the
customer’s information in accordance with
the standard set forth below is a key part of
that duty. Timely notification of customers is
important to manage an institution’s
reputation risk. Effective notice also may
reduce an institution’s legal risk, assist in
maintaining good customer relations, and
enable the institution’s customers to take
steps to protect themselves against the
consequences of identity theft. When
customer notification is warranted, an
institution may not forgo notifying its
customers of an incident because the
institution believes that it may be potentially
embarrassed or inconvenienced by doing so.
A. Standard for Providing Notice
When a financial institution becomes
aware of an incident of unauthorized access
to sensitive customer information, the
institution should conduct a reasonable
investigation to promptly determine the
likelihood that the information has been or
will be misused. If the institution determines
that misuse of its information about a
customer has occurred or is reasonably
possible, it should notify the affected
customer as soon as possible. Customer
notice may be delayed if an appropriate law
enforcement agency determines that
notification will interfere with a criminal
investigation and provides the institution
with a written request for the delay.
However, the institution should notify its
customers as soon as notification will no
longer interfere with the investigation.
E:\FR\FM\30JAP1.SGM
30JAP1
5062
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
rljohnson on DSK4SPTVN1PROD with PROPOSALS
1. Sensitive Customer Information
Under the Guidelines, an institution must
protect against unauthorized access to or use
of customer information that could result in
substantial harm or inconvenience to any
customer. Substantial harm or inconvenience
is most likely to result from improper access
to sensitive customer information because
this type of information is most likely to be
misused, as in the commission of identity
theft. For purposes of this Guidance,
sensitive customer information means a
customer’s name, address, or telephone
number, in conjunction with the customer’s
social security number, driver’s license
number, account number, credit or debit card
number, or a personal identification number
or password that would permit access to the
customer’s account. Sensitive customer
information also includes any combination of
components of customer information that
would allow someone to log onto or access
the customer’s account, such as user name or
password or password and account number.
2. Affected Customers
If a financial institution, based upon its
investigation, can determine from its logs or
other data precisely which customers’
information has been improperly accessed, it
may limit notification to those customers
with regard to whom the institution
determines that misuse of their information
has occurred or is reasonably possible.
However, there may be situations where the
institution determines that a group of files
has been accessed improperly, but is unable
to identify which specific customers’
information has been accessed. If the
circumstances of the unauthorized access
lead the institution to determine that misuse
of the information is reasonably possible, it
should notify all customers in the group.
B. Content of Customer Notice
1. Customer notice should be given in a
clear and conspicuous manner. The notice
should describe the incident in general terms
and the type of customer information that
was the subject of unauthorized access or
use. It also should generally describe what
the institution has done to protect the
customers’ information from further
unauthorized access. In addition, it should
include a telephone number that customers
can call for further information and
assistance.14 The notice also should remind
customers of the need to remain vigilant over
the next twelve to twenty-four months, and
to promptly report incidents of suspected
identify theft to the institution. The notice
should include the following additional
items, when appropriate:
a. A recommendation that the customer
review account statements and immediately
report any suspicious activity to the
institution;
b. A description of fraud alerts and an
explanation of how the customer may place
a fraud alert in the customer’s consumer
reports to put the customer’s creditors on
notice that the customer may be a victim of
fraud;
c. A recommendation that the customer
periodically obtain credit reports from each
nationwide credit reporting agency and have
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
information relating to fraudulent
transactions deleted;
d. An explanation of how the customer
may obtain a credit report free of charge; and
e. Information about the availability of the
FTC’s online guidance regarding steps a
consumer can take to protect against identity
theft. The notice should encourage the
customer to report any incidents of identity
theft to the FTC, and should provide the
FTC’s Web site address and toll-free
telephone number that customers may use to
obtain the identity theft guidance and report
suspected incidents of identity theft.15
2. The Agencies encourage financial
institutions to notify the nationwide
consumer reporting agencies prior to sending
notices to a large number of customers that
include contact information for the reporting
agencies.
C. Delivery of Customer Notice
Customer notice should be delivered in
any manner designed to ensure that a
customer can reasonably be expected to
receive it. For example, the institution may
choose to contact all customers affected by
telephone or by mail, or by electronic mail
for those customers for whom it has a valid
email address and who have agreed to
receive communications electronically.
1 This Guidance was jointly issued by the
Board of Governors of the Federal Reserve
System (Board), the Federal Deposit
Insurance Corporation (FDIC), the Office of
the Comptroller of the Currency (OCC), and
the Office of Thrift Supervision (OTS).
Pursuant to 12 U.S.C. 5412, the OTS is no
longer a party to this Guidance.
2 12 CFR part 30, app. B (OCC); 12 CFR part
208, app. D–2 and part 225, app. F (Board);
and 12 CFR part 364, app. B (FDIC). The
‘‘Interagency Guidelines Establishing
Information Security Standards’’ were
formerly known as ‘‘The Interagency
Guidelines Establishing Standards for
Safeguarding Customer Information.’’
3 See Security Guidelines, III.B.
4 See Security Guidelines, III.C.
5 See Security Guidelines, III.C.
6 See Security Guidelines, II.B, and III.D.
Further, the Agencies note that, in addition
to contractual obligations to a financial
institution, a service provider may be
required to implement its own
comprehensive information security program
in accordance with the Safeguards Rule
promulgated by the Federal Trade
Commission (FTC), 12 CFR part 314.
7 The FTC estimates that nearly 10 million
Americans discovered they were victims of
some form of identity theft in 2002. See The
Federal Trade Commission. Identity Theft
Survey Report (September 2003), available at
https://www.ftc.gov/os/2003/09/
synovatereport.pdf.
8 Institutions should also conduct
background checks of employees to ensure
that the institution does not violate 12 U.S.C.
1829, which prohibits an institution from
hiring an individual convicted of certain
criminal offenses or who is subject to a
prohibition order under 12 U.S.C. 1818(e)(6).
9 Under the Guidelines, an institution’s
customer information systems consist of all
of the methods used to access, collect, store,
PO 00000
Frm 00011
Fmt 4702
Sfmt 4702
use, transmit, protect, or dispose of customer
information, including the systems
maintained by its service providers. See
Security Guidelines, I.C.2.d.
10 See FFIEC Information Technology
Examination Handbook, Information Security
Booklet, Dec. 2002 available at https://
ithandbook.ffiec.gov/it-booklets/informationsecurity.aspx Federal Reserve SR 97–32,
Sound Practice Guidance for Information
Security for Networks, Dec. 4, 1997; OCC
Bulletin 2000–14, ‘‘Infrastructure Threats—
Intrusion Risks’’ (May 15, 2000), for
additional guidance on preventing, detecting,
and responding to intrusions into financial
institutions computer systems.
11 See Federal Reserve SR Ltr. 13–19,
Guidance on Managing Outsourcing Risk,
Dec. 5, 2013; OCC Bulletin 2013–29, ‘‘ThirdParty Relationships—Risk Management
Guidance,’’ Oct. 30, 2013; and FDIC FIL 44–
08, Guidance for Managing Third Party Risk,
June 6, 2008 and FIL 68–99, Risk Assessment
Tools and Practices for Information System
Security, July 7, 1999.
12 An institution’s obligations to file a SAR
is set out in the Agencies’ SAR regulations
and Agency guidance. See, for example, 12
CFR 21.11 (national banks, Federal branches
and agencies); 12 CFR 163.180 (Federal
savings associations); 12 CFR 208.62 (State
member banks); 12 CFR 211.5(k) (Edge and
agreement corporations); 12 CFR 211.24(f)
(uninsured State branches and agencies of
foreign banks); 12 CFR 225.4(f) (bank holding
companies and their nonbank subsidiaries);
and 12 CFR part 353 (State non-member
banks). National banks must file SARs in
connection with computer intrusions and
other computer crimes. See OCC Bulletin
2000–14, ‘‘Infrastructure Threats—Intrusion
Risks’’ (May 15, 2000); Advisory Letter 97–
9, ‘‘Reporting Computer Related Crimes’’
(November 19, 1997) (general guidance still
applicable though instructions for new SAR
form published in 65 FR 1229, 1230 (January
7, 2000)). See also Federal Reserve SR 01–11,
Identity Theft and Pretext Calling, Apr. 26,
2001.
13 See FFIEC Information Technology
Examination Handbook, Information Security
Booklet, Dec. 2002, pp. 68–74.
14 The institution should, therefore, ensure
that it has reasonable policies and procedures
in place, including trained personnel, to
respond appropriately to customer inquiries
and requests for assistance.
15 Currently, the FTC Web site for the ID
Theft brochure and the FTC Hotline phone
number are https://www.consumer.gov/idtheft
and 1–877–IDTHEFT. The institution may
also refer customers to any materials
developed pursuant to section 151(b) of the
FACT Act (educational materials developed
by the FTC to teach the public how to
prevent identity theft).
PART 391—FORMER OFFICE OF
THRIFT SUPERVISION REGULATIONS
4. The authority citation for part 391
is revised to read as follows:
■
Authority: 12 U.S.C. 1819 (Tenth).
Subpart A also issued under 12 U.S.C.
1462a; 1463; 1464; 1828; 1831p–1; 1881–
1884; 15 U.S.C. 1681w; 15 U.S.C. 6801; 6805.
E:\FR\FM\30JAP1.SGM
30JAP1
Federal Register / Vol. 80, No. 20 / Friday, January 30, 2015 / Proposed Rules
Subpart C also issued under 12 U.S.C.
1462a; 1463; 1464; 1828; 1831p-1; and 1881–
1884; 15 U.S.C. 1681m; 1681w.
Subpart D also issued under 12 U.S.C.
1462; 1462a; 1463; 1464; 42 U.S.C. 4012a;
4104a; 4104b; 4106; 4128.
Subpart E also issued under 12 U.S.C.
1467a; 1468; 1817; 1831i.
Subpart B—[Removed and Reserved]
5. Remove and reserve subpart B
consisting of §§ 391.10 through 391.14,
appendix A to subpart B of part 391,
and appendix B to subpart B of part 391.
■
Dated at Washington, DC, this 21st day of
January, 2015.
By order of the Board of Directors.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 2015–01325 Filed 1–29–15; 8:45 am]
BILLING CODE 6714–01–P
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Parts 324 and 329
RIN 3064–AE30
Regulatory Capital Rules, Liquidity
Coverage Ratio: Proposed Revisions
to the Definition of Qualifying Master
Netting Agreement and Related
Definitions
Federal Deposit Insurance
Corporation (FDIC).
ACTION: Notice of proposed rulemaking.
AGENCY:
The FDIC invites comment on
a notice of proposed rulemaking (NPR
or proposed rule) that would amend the
definition of ‘‘qualifying master netting
agreement’’ under the regulatory capital
rules, and the liquidity coverage ratio
rule. The FDIC also is proposing to
amend the definitions of ‘‘collateral
agreement,’’ ‘‘eligible margin loan,’’ and
‘‘repo-style transaction’’ under the
regulatory capital rules. The
amendments are designed to ensure that
the regulatory capital and liquidity
treatment of certain financial contracts
generally would not be affected by
implementation of special resolution
regimes in foreign jurisdictions if such
regimes are substantially similar to Title
II of the Dodd-Frank Wall Street Reform
and Consumer Protection Act and the
Federal Deposit Insurance Act in the
United States, or by the International
Swaps and Derivative Association
Resolution Stay Protocol that provide
for contractual submission to such
regimes. In December 2014, the Office of
the Comptroller of the Currency (OCC)
and the Board of Governors of the
Federal Reserve System (Board) adopted
rljohnson on DSK4SPTVN1PROD with PROPOSALS
SUMMARY:
VerDate Sep<11>2014
14:35 Jan 29, 2015
Jkt 235001
a joint interim final rule that is related
to this proposed rule.
DATES: Comments must be received
March 31, 2015.
ADDRESSES: You may submit comments,
identified by RIN 3064–AE30, by any of
the following methods:
• Agency Web site: https://
www.fdic.gov/regulations/laws/federal/.
Follow instructions for submitting
comments on the Agency Web site.
• Email: Comments@fdic.gov. Include
the RIN 3064–AE30 on the subject line
of the message.
• Mail: Robert E. Feldman, Executive
Secretary, Attention: Comments, Federal
Deposit Insurance Corporation, 550 17th
Street NW., Washington, DC 20429.
• Hand Delivery: Comments may be
hand delivered to the guard station at
the rear of the 550 17th Street Building
(located on F Street) on business days
between 7:00 a.m. and 5:00 p.m.
Public Inspection: All comments
received must include the agency name
and RIN 3064–AE30 for this rulemaking.
All comments received will be posted
without change to https://www.fdic.gov/
regulations/laws/federal/, including any
personal information provided. Paper
copies of public comments may be
ordered from the FDIC Public
Information Center, 3501 North Fairfax
Drive, Room E–I002, Arlington, VA
22226 by telephone at (877) 275–3342 or
(703) 562–2200.
FOR FURTHER INFORMATION CONTACT:
Bobby R. Bean, Associate Director,
bbean@fdic.gov; Ryan Billingsley, Chief,
Capital Policy Section,
rbillingsley@fdic.gov; Benedetto Bosco,
Capital Markets Policy Analyst,
bbosco@fdic.gov; Capital Markets
Branch, Division of Risk Management
Supervision, (202) 898–6888; or David
Wall, Assistant General Counsel,
dwall@fdic.gov; Michael Phillips,
Counsel, mphillips@fdic.gov; Ann
Battle, Counsel, abattle@fdic.gov; Rachel
Ackmann, Senior Attorney,
rackmann@fdic.gov; Grace Pyun, Senior
Attorney, gpyun@fdic.gov; Supervision
Branch, Legal Division, Federal Deposit
Insurance Corporation, 550 17th Street
NW., Washington, DC 20429.
SUPPLEMENTARY INFORMATION:
I. Summary
The regulatory capital rules of the
Board, the OCC, and the FDIC
(collectively, the agencies) permit a
banking organization to measure
exposure from certain types of financial
contracts on a net basis and recognize
the risk-mitigating effect of financial
collateral for other types of exposures,
provided that the contracts are subject
to a ‘‘qualifying master netting
PO 00000
Frm 00012
Fmt 4702
Sfmt 4702
5063
agreement’’ that provides for certain
rights upon a counterparty default.1 The
agencies, by rule, have defined a
qualifying master netting agreement as a
netting agreement that permits a
banking organization to terminate, apply
close-out netting, and promptly
liquidate or set-off collateral upon an
event of default of the counterparty
(default rights), thereby reducing its
counterparty exposure and market
risks.2 On the whole, measuring the
amount of exposure of these contracts
on a net basis, rather than a gross basis,
results in a lower measure of exposure,
and thus, a lower capital requirement,
under the regulatory capital rules.
The current definition of ‘‘qualifying
master netting agreement’’ recognizes
that default rights may be stayed if the
financial company is in receivership,
conservatorship, or resolution under
Title II of the Dodd-Frank Wall Street
Reform and Consumer Protection Act
(Dodd-Frank Act),3 or under the Federal
Deposit Insurance Act (FDI Act).4
Accordingly, transactions conducted
under netting agreements where default
rights may be stayed under Title II of the
Dodd-Frank Act or the FDI Act may
qualify for the favorable capital
treatment described above. However,
the current definition of ‘‘qualifying
master netting agreement’’ does not
recognize that default rights may be
stayed where a master netting agreement
is subject to limited stays under foreign
special resolution regimes or where
counterparties agree through contract
that a special resolution regime would
apply. When the agencies adopted the
current definition of ‘‘qualifying master
netting agreement,’’ no other
jurisdiction had adopted a special
resolution regime relevant to the
definition, and no banking organizations
1 See 12 CFR part 3 (OCC), 12 CFR part 217
(Board); 12 CFR part 324 (FDIC). The term ‘‘banking
organization’’ includes national banks, state
member banks, state nonmember banks, savings
associations, and top-tier bank holding companies
domiciled in the United States not subject to the
Board’s Small Bank Holding Company Policy
Statement (12 CFR part 225, appendix C), as well
as top-tier savings and loan holding companies
domiciled in the United States, except for certain
savings and loan holding companies that are
substantially engaged in insurance underwriting or
commercial activities.
2 See section 2 of the regulatory capital rules.
3 See 12 U.S.C. 5390(c)(8) through (16).
4 See 12 U.S.C. 1821(e)(8) through (13). The
definition also recognizes that default rights may be
stayed under any similar insolvency law applicable
to government sponsored enterprises (GSEs).
Generally under the agencies’ regulatory capital
rules, government-sponsored enterprise means an
entity established or chartered by the U.S.
government to serve public purposes specified by
the U.S. Congress but whose debt obligations are
not explicitly guaranteed by the full faith and credit
of the U.S. government. See regulatory capital rules
Section 2.
E:\FR\FM\30JAP1.SGM
30JAP1
Agencies
[Federal Register Volume 80, Number 20 (Friday, January 30, 2015)]
[Proposed Rules]
[Pages 5052-5063]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2015-01325]
=======================================================================
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 308, 364 and 391
RIN 3064-AE28
Transferred OTS Regulations Regarding Safety and Soundness
Guidelines and Compliance Procedures and Amendments
AGENCY: Federal Deposit Insurance Corporation.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: In this notice of proposed rulemaking, the Federal Deposit
Insurance Corporation (FDIC) proposes to rescind and remove from the
Code of Federal Regulations 12 CFR part 391, subpart B, entitled
``Safety and Soundness Guidelines and Compliance Procedures'' and
Appendix A and B to part 391, subpart B and supplement A to appendix B.
With few exceptions addressed below, the requirements for state savings
associations in part 391, subpart B, are substantively similar to those
in the FDIC's 12 CFR part 308, subpart R, and in the FDIC's 12 CFR part
364.
Upon the completion of these proposed changes, the ``Standards for
Safety and Soundness'' for all insured
[[Page 5053]]
depository institutions for which the FDIC has been designated the
appropriate Federal banking agency will be found at part 364 and the
``Submission and Review of Safety and Soundness Compliance Plans and
Issuance of Orders to Correct Safety and Soundness Deficiencies'' for
all insured depository institutions for which the FDIC has been
designated the appropriate Federal banking agency will be found at part
308, subpart R.
DATES: Comments must be received on or before March 31, 2015.
ADDRESSES: You may submit comments by any of the following methods:
FDIC Web site: https://www.fdic.gov/regulations/laws/federal/. Follow instructions for submitting comments on the agency Web
site.
FDIC Email: Comments@fdic.gov. Include RIN 3064-AE28 on
the subject line of the message.
FDIC Mail: Robert E. Feldman, Executive Secretary,
Attention: Comments, Federal Deposit Insurance Corporation, 550 17th
Street NW., Washington, DC 20429.
Hand Delivery to FDIC: Comments may be hand-delivered to
the guard station at the rear of the 550 17th Street Building (located
on F Street) on business days between 7 a.m. and 5 p.m.
Please include your name, affiliation, address, email address, and
telephone number(s) in your comment. Where appropriate, comments should
include a short Executive Summary consisting of no more than five
single-spaced pages. All statements received, including attachments and
other supporting materials, are part of the public record and are
subject to public disclosure. You should submit only information that
you wish to make publicly available.
Please note: All comments received will be posted generally
without change to https://www.fdic.gov/regulations/laws/federal/,
including any personal information provided. Paper copies of public
comments may be requested from the Public Information Center by
telephone at 1-877-275-3342 or 1-703-562-2200.
FOR FURTHER INFORMATION CONTACT: Rebecca M. Parks, Review Examiner,
Division of Risk Management Supervision (202) 898-3912; Jann L. Harley,
Senior Attorney, Legal Division (312) 382-6535; and Michael P. Condon,
Counsel, Legal Division (202) 898-6536.
SUPPLEMENTARY INFORMATION:
I. Background
The Dodd-Frank Act
The Dodd-Frank Act provided for a substantial reorganization of the
regulation of State and Federal savings associations and their holding
companies. Beginning July 21, 2011, the transfer date established by
section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the
powers, duties, and functions formerly performed by the OTS were
divided among the FDIC, as to State savings associations, the Office of
the Comptroller of the Currency (``OCC''), as to Federal savings
associations, and the Board of Governors of the Federal Reserve System
(``FRB''), as to savings and loan holding companies. Section 316(b) of
the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provides the manner
of treatment for all orders, resolutions, determinations, regulations,
and advisory materials that had been issued, made, prescribed, or
allowed to become effective by the OTS. The section provides that if
such materials were in effect on the day before the transfer date, they
continue in effect and are enforceable by or against the appropriate
successor agency until they are modified, terminated, set aside, or
superseded in accordance with applicable law by such successor agency,
by any court of competent jurisdiction, or by operation of law.
Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C.
5414(c), further directed the FDIC and the OCC to consult with one
another and to publish a list of the continued OTS regulations which
would be enforced by the FDIC and the OCC, respectively. On June 14,
2011, the FDIC's Board of Directors approved a ``List of OTS
Regulations to be Enforced by the OCC and the FDIC Pursuant to the
Dodd-Frank Wall Street Reform and Consumer Protection Act.'' This list
was published by the FDIC and the OCC as a Joint Notice in the Federal
Register on July 6, 2011.\1\
---------------------------------------------------------------------------
\1\ 76 FR 39247 (July 6, 2011).
Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act,
codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC
rulemaking authority relating to both State and Federal savings
associations, nothing in the Dodd-Frank Act affected the FDIC's
existing authority to issue regulations under the FDI Act and other
laws as the ``appropriate Federal banking agency'' or under similar
statutory terminology. Section 312(c) of the Dodd-Frank Act amended
the definition of ``appropriate Federal banking agency'' contained
in Section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State
savings associations to the list of entities for which the FDIC is
designated as the ``appropriate Federal banking agency.'' As a
result, when the FDIC acts as the designated ``appropriate Federal
banking agency'' (or under similar terminology) for State savings
associations, as it does here, the FDIC is authorized to issue,
modify, and rescind regulations involving such associations, as well
---------------------------------------------------------------------------
as for State nonmember banks and insured branches of foreign banks.
As noted, on June 14, 2011, operating pursuant to this authority,
the FDIC's Board of Directors reissued and redesignated certain
transferring regulations of the former OTS. These transferred OTS
regulations were published as new FDIC regulations in the Federal
Register on August 5, 2011.\2\ When it republished the transferred OTS
regulations as new FDIC regulations, the FDIC specifically noted that
its staff would evaluate the transferred OTS rules and might later
recommend incorporating the transferred OTS regulations into other FDIC
rules, amending them, or rescinding them, as appropriate.
---------------------------------------------------------------------------
\2\ 76 FR 47652 (Aug. 5, 2011).
---------------------------------------------------------------------------
One of the OTS's rules transferred to the FDIC governs safety and
soundness guidelines, the submission and review of safety and soundness
compliance plans, and the issuance of orders to correct safety and
soundness deficiencies. The OTS's rule, formerly found at 12 CFR part
570, was transferred to the FDIC with only nomenclature changes and is
now found in the FDIC's rules at part 391, subpart B, entitled ``Safety
and Soundness Guidelines and Compliance Procedures.'' The ``Interagency
Guidelines Establishing Standards for Safety and Soundness'' were found
at appendix A to part 391, subpart B, the ``Interagency Guidelines
Establishing Information Security Standards'' were found at appendix B
to part 391, subpart B, and the ``Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and Customer
Notice'' were found at the supplement to appendix B to part 391,
subpart B. Before the transfer of the OTS rules and continuing today,
the FDIC's rules contained part 364, entitled ``Standards for Safety
and Soundness,'' a rule establishing safety and soundness standards for
State nonmember insured banks and to State-licensed insured branches of
foreign banks, that are subject to section 39 of the FDI Act, 12 U.S.C.
1831p-1. Part 364 also established safety and soundness standards
relating to information security for State nonmember insured banks,
insured State licensed branches of foreign banks, and any subsidiaries
of such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisors) as set out in appendix B
to part 364, the ``Interagency Guidelines Establishing Information
Security
[[Page 5054]]
Standards'' and supplement A to appendix B to part 364, the
``Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice.'' Additionally, before the
transfer of the OTS rules and continuing today, the FDIC's rules
contained part 308, subpart R, entitled ``Submission and Review of
Safety and Soundness Compliance Plans and Issuance of Orders to Correct
Safety and Soundness Deficiencies.''
After careful review and comparison of part 391, subpart B and part
308, subpart R, and part 364 and its accompanying appendices and
supplement to appendices, the FDIC proposes to rescind subpart B of
part 391 because, as discussed below, it is substantively redundant to
existing part 308, subpart R, and part 364 and the accompanying
appendices A and B and supplement A to appendix B.
Furthermore, to clarify that part 308, subpart R, and part 364 and
its accompanying appendices A and B and supplement A to appendix B,
apply to all insured depository institutions for which the FDIC has
been designated the appropriate Federal banking agency, the FDIC
proposes to amend part 308, subpart R, and part 364 and to reissue the
appendices and supplement A to appendix B to part 364 to add ``State
savings associations'' within the list of institutions to which the
rules and the appendices apply.
FDIC's Existing 12 CFR Part 308, Subpart R
Section 132 of the Federal Deposit Insurance Corporation
Improvement Act of 1991 (FDICIA), Public Law 102-242, added Section 39
to the FDI Act (12 U.S.C. 21 1831p-1), which required each Federal
banking agency to establish by regulation certain safety and soundness
standards for the insured depository institutions for which it was the
primary Federal regulator. Section 39 of the FDI Act was further
amended on September 23, 1994 by section 318 of the Riegle Community
Development and Regulatory Improvement Act of 1994, Public Law 103-325.
In response to Section 39 of the FDI Act, the FDIC adopted subpart R of
part 308 in 1995 to address the submission and review of safety and
soundness compliance plans and issuance of orders to correct safety and
soundness deficiencies.
FDIC's Existing 12 CFR Part 364 and Appendices A and B and Supplement A
to Appendix B
Section 132 of the Federal Deposit Insurance Corporation
Improvement Act of 1991 (FDICIA), Public Law 102-242, added Section 39
to the FDI Act (12 U.S.C. 21 1831p-1), which required each Federal
banking agency to establish by regulation certain safety and soundness
standards for the insured depository institutions for which it was the
primary Federal regulator. Section 39 of the FDI Act was further
amended on September 23, 1994 by section 318 of the Riegle Community
Development and Regulatory Improvement Act of 1994, Public Law 103-325.
In response to Section 39 of the FDI Act, the FDIC adopted part 364 in
1995 and appendix A to part 364, the ``Interagency Guidelines
Establishing Standards for Safety and Soundness,'' in 1995. The FDIC
adopted appendix B to part 364, the ``Interagency Guidelines
Establishing Information Security Standards,'' in 1998. The FDIC
adopted supplement A to appendix B to part 364, the ``Interagency
Guidance on Response Programs for Unauthorized Access to Customer
Information and Customer Notice,'' in 2005.
Former OTS's 12 CFR Part 570 (transferred to FDIC's Part 391, Subpart
B)
In 1995, the OTS adopted 12 CFR part 570 as a final rule governing
safety and soundness guidelines and compliance procedures for State
savings associations. The OTS adopted appendix A to part 570, the
``Interagency Guidelines Establishing Standards for Safety and
Soundness,'' in 1995, adopted appendix B to part 570, the ``Interagency
Guidelines Establishing Information Security Standards,'' in 1998, and
adopted the supplement to appendix B, the ``Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information and
Customer Notice,'' in 2005.
Despite the differences addressed above and minor technical
nuances, the OTS's rule was otherwise substantively similar to the
FDIC's rules governing safety and soundness guidelines and compliance
procedures found in part 308, subpart R, and part 364 and its
accompanying appendices. After careful comparison of the OTS part 570
(which existed prior to the transfer of the OTS rules to part 391) with
the FDIC's part 308, subpart R, and the FDIC's part 364, the FDIC has
concluded that the transferred OTS rules found at part 391, subpart B,
and the accompanying guidelines found in appendices A and B and the
supplement to appendix B, are substantively redundant. Therefore, based
on the above, the FDIC proposes to rescind and remove from the Code of
Federal Regulations the rules located at part 391, subpart B.
II. The Proposal
Regarding the functions of the former OTS that were transferred to
the FDIC, Section 316(b)(3) of the Dodd-Frank Act, 12 U.S.C.
5414(b)(3), in pertinent part, provides that the former OTS's
regulations will be enforceable by the FDIC until they are modified,
terminated, set aside, or superseded in accordance with applicable law.
After reviewing the rules and accompanying appendices currently found
in part 391, subpart B, the FDIC, as the appropriate Federal banking
agency for State savings associations, proposes to rescind part 391,
subpart B in its entirety. The FDIC also proposes to amend part 364 and
appendix A and B and supplement A to appendix B to include State
savings associations within the scope of the regulation and guidelines.
The FDIC also proposes to amend part 308, subpart R to apply to State
savings associations. If the proposal is finalized, the safety and
soundness guidelines in part 364 and its accompanying appendices and
supplement to appendices would apply to all FDIC-supervised
institutions, and the procedures found in part 308, subpart R, for the
submission and review of safety and soundness compliance plans and
issuance of orders to correct safety and soundness deficiencies would
also apply to all FDIC-supervised institutions. Part 391, subpart B
would be removed because it is redundant of the rules found in part 364
and part 308, subpart R. Rescinding part 391, subpart B, will serve to
streamline the FDIC's rules and eliminate unnecessary regulations.
III. Request for Comments
The FDIC invites comments on all aspects of this proposed
rulemaking, and specifically requests comments on the following:
(1.) Are the provisions of part 308, subpart R, sufficient to
establish effective procedures for the submission and review of safety
and soundness compliance plans and issuance of orders to correct safety
and soundness deficiencies would also apply to all FDIC-supervised
institutions?
(2.) Are the provisions of the proposed part 364 and the
accompanying appendices and supplement to appendices sufficient to
provide consistent and effective safety and soundness guidance and
information security standards? Please substantiate your answer.
(3.) What impacts, positive or negative, can you foresee in the
FDIC's proposal to rescind part 391, subpart B?
[[Page 5055]]
Written comments must be received by the FDIC no later than March
31, 2015.
IV. Regulatory Analysis and Procedure
A. The Paperwork Reduction Act
In accordance with the requirements of the Paperwork Reduction Act
(``PRA'') of 1995 (44 U.S.C. 3501-3521), the FDIC may not conduct or
sponsor, and the respondent is not required to respond to, an
information collection unless it displays a currently valid Office of
Management and Budget (``OMB'') control number.
The Proposed Rule would rescind and remove part 391, subpart B,
from the FDIC regulations. This rule was transferred with only nominal
changes to the FDIC from the OTS when the OTS was abolished by Title
III of the Dodd-Frank Act. Part 391, subpart B, is largely redundant of
the FDIC's existing part 364 regarding standards for safety and
soundness and subpart R of the FDIC's existing part 308 regarding the
submission and review of safety and soundness compliance plans and
issuance of orders to correct safety and soundness deficiencies.
The Proposed Rule would amend parts 364 and subpart R of Part 308
to include State savings associations within the scope of those
regulations. This measure is to clarify that State savings
associations, as well as State nonmember insured banks and foreign
banks having insured branches, are all subject to part 364 and the
provisions of subpart R of part 308. Thus, these provisions of the
Proposed Rule will neither create any new paperwork information
collections nor impact current burden estimates. Based on the above, no
information collection request has been submitted to the OMB for
review.
B. The Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA), requires that, in connection
with a notice of proposed rulemaking, an agency prepare and make
available for public comment an initial regulatory flexibility analysis
that describes the impact of the proposed rule on small entities
(defined in regulations promulgated by the Small Business
Administration to include banking organizations with total assets of
less than or equal to $550 million).\3\ However, a regulatory
flexibility analysis is not required if the agency certifies that the
rule will not have a significant economic impact on a substantial
number of small entities, and publishes its certification and a short
explanatory statement in the Federal Register together with the rule.
For the reasons provided below, the FDIC certifies that the Proposed
Rule, if adopted in final form, would not have a significant economic
impact on a substantial number of small entities. Accordingly, a
regulatory flexibility analysis is not required.
---------------------------------------------------------------------------
\3\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------
As discussed in this notice of proposed rulemaking, part 391,
subpart B was transferred from OTS's part 570 which established safety
and soundness guidelines and the process for requesting compliance
plans and issuing orders to correct deficiencies. OTS's part 570 had
been in effect since 1995, and all state savings associations were
required to comply with it. Because it is redundant of existing part
364 of the FDIC's rules and subpart R of part 308 of the FDIC's rules,
the FDIC proposes rescinding and removing part 391, subpart B. As a
result, all FDIC-supervised institutions, including State savings
associations, would be required to comply with part 364 and part 308,
subpart R. Because all State savings associations have been required to
comply with substantially similar safety and soundness guidelines and
have been subject to substantially similar procedures for the filing of
safety and soundness compliance plans and orders to correct
deficiencies since 1995, today's Proposal would have no significant
economic impact on any State savings association.
C. Plain Language
Section 722 of the GLB Act, codified at 12 U.S.C. 4809, requires
each Federal banking agency to use plain language in all of its
proposed and final rules published after January 1, 2000. The FDIC
invites comments on whether the Proposed Rule is clearly stated and
effectively organized, and how the FDIC might make it easier to
understand. For example:
Has the FDIC organized the material to suit your needs? If
not, how could it present the rule more clearly?
Have we clearly stated the requirements of the rule? If
not, how could the rule be more clearly stated?
Does the rule contain technical jargon that is not clear?
If so, which language requires clarification?
Would a different format (grouping and order of sections,
use of headings, paragraphing) make the regulation easier to
understand? If so, what changes would make the regulation easier to
understand?
What else could we do to make the regulation easier to
understand?
D. The Economic Growth and Regulatory Paperwork Reduction Act
Under Section 2222 of the Economic Growth and Regulatory Paperwork
Reduction Act of 1996 (EGRPRA), the FDIC is required to review all of
its regulations, at least once every 10 years, in order to identify any
outdated or otherwise unnecessary regulations imposed on insured
institutions.\4\ The FDIC completed the last comprehensive review of
its regulations under EGRPRA in 2006 and is commencing the next
decennial review. The action taken on this rule will be included as
part of the EGRPRA review that is currently under way. As part of that
review, the FDIC invites comments concerning whether the Proposed Rule
would impose any outdated or unnecessary regulatory requirements on
insured depository institutions. If you provide such comments, please
be specific and provide alternatives whenever appropriate.
---------------------------------------------------------------------------
\4\ Public Law 104-208 (Sept. 30, 1996).
---------------------------------------------------------------------------
List of Subjects
12 CFR part 308
Banks, banking, Safety and soundness compliance plans, Savings
associations.
12 CFR part 364
Banks, banking, Safety and soundness guidelines.
12 CFR part 391
Safety and soundness guidelines.
Authority and Issuance
For the reasons stated in the preamble, the Board of Directors of
the Federal Deposit Insurance Corporation proposes to amend parts 308,
364, and 391 of title 12 of the Code of Federal Regulations as follows:
PART 308--RULES OF PRACTICE AND PROCEDURE
0
1. The authority citation for part 308 continues to read as follows:
Authority: 5 U.S.C. 504, 554-557; 12 U.S.C. 93(b), 164, 505,
1815(e), 1817, 1818, 1820, 1828, 1829, 1829b, 1831i, 1831m(g)(4),
1831o, 1831p-1, 1832(c), 1884(b), 1972, 3102, 3108(a), 3349, 3909,
4717, 15 U.S.C. 78(h) and (i), 78o-4(c), 78o-5, 78q-1, 78s, 78u,
78u-2, 78u-3, and 78w, 6801(b), 6805(b)(1); 28 U.S.C. 2461 note; 31
U.S.C. 330, 5321; 42 U.S.C. 4012a; Sec. 3100(s), Pub. L. 104-134,
110 Stat. 1321-358; and Pub. L. 109-351.
0
2. Revise subpart R of part 308 to read as follows:
[[Page 5056]]
Subpart R--Submission and Review of Safety and Soundness Compliance
Plans and Issuance of Orders To Correct Safety and Soundness
Deficiencies
Sec.
308.300 Scope.
308.301 Purpose.
308.302 Determination and notification of failure to meet a safety
and soundness standard and request for compliance plan.
308.303 Filing of safety and soundness compliance plan.
308.304 Issuance of orders to correct deficiencies and to take or
refrain from taking other actions.
308.305 Enforcement of orders.
Sec. 308.300 Scope.
The rules and procedures set forth in this subpart apply to insured
state nonmember banks, to state-licensed insured branches of foreign
banks, that are subject to the provisions of section 39 of the Federal
Deposit Insurance Act (section 39) (12 U.S.C. 1831p-1), and to state
savings associations (in aggregate, bank or banks and state savings
association or state savings associations).
Sec. 308.301 Purpose.
Section 39 of the FDI Act requires the FDIC to establish safety and
soundness standards. Pursuant to section 39, a bank or savings
association may be required to submit a compliance plan if it is not in
compliance with a safety and soundness standard established by
guideline under section 39(a) or (b). An enforceable order under
section 8 of the FDI Act may be issued if, after being notified that it
is in violation of a safety and soundness standard established under
section 39, the bank or savings association fails to submit an
acceptable compliance plan or fails in any material respect to
implement an accepted plan. This subpart establishes procedures for
requiring submission of a compliance plan and issuing an enforceable
order pursuant to section 39.
Sec. 308.302 Determination and notification of failure to meet a
safety and soundness standard and request for compliance plan.
(a) Determination. The FDIC may, based upon an examination,
inspection or any other information that becomes available to the FDIC,
determine that a bank or state savings association has failed to
satisfy the safety and soundness standards set out in part 364 of this
chapter and in the Interagency Guidelines Establishing Standards for
Safety and Soundness in appendix A and the Interagency Guidelines
Establishing Information Security Standards in appendix B to part 364
of this chapter.
(b) Request for compliance plan. If the FDIC determines that a bank
or state savings association has failed a safety and soundness standard
pursuant to paragraph (a) of this section, the FDIC may request, by
letter or through a report of examination, the submission of a
compliance plan and the bank or state savings association shall be
deemed to have notice of the request three days after mailing of the
letter by the FDIC or delivery of the report of examination.
Sec. 308.303 Filing of safety and soundness compliance plan.
(a) Schedule for filing compliance plan--(1) In general. A bank or
state savings association shall file a written safety and soundness
compliance plan with the FDIC within 30 days of receiving a request for
a compliance plan pursuant to Sec. 308.302(b), unless the FDIC
notifies the bank or state savings association in writing that the plan
is to be filed within a different period.
(2) Other plans. If a bank or state savings association is
obligated to file, or is currently operating under, a capital
restoration plan submitted pursuant to section 38 of the FDI Act (12
U.S.C. 1831o), a cease-and-desist order entered into pursuant to
section 8 of the FDI Act, a formal or informal agreement, or a response
to a report of examination or report of inspection, it may, with the
permission of the FDIC, submit a compliance plan under this section as
part of that plan, order, agreement, or response, subject to the
deadline provided in paragraph (a)(1) of this section.
(b) Contents of plan. The compliance plan shall include a
description of the steps the bank or state savings association will
take to correct the deficiency and the time within which those steps
will be taken.
(c) Review of safety and soundness compliance plans. Within 30 days
after receiving a safety and soundness compliance plan under this
subpart, the FDIC shall provide written notice to the bank or state
savings association of whether the plan has been approved or seek
additional information from the bank or state savings association
regarding the plan. The FDIC may extend the time within which notice
regarding approval of a plan will be provided.
(d) Failure to submit or implement a compliance plan--(1)
Supervisory actions. If a bank or state savings association fails to
submit an acceptable plan within the time specified by the FDIC or
fails in any material respect to implement a compliance plan, then the
FDIC shall, by order, require the bank or state savings association to
correct the deficiency and may take further actions provided in section
39(e)(2)(B). Pursuant to section 39(e)(3), the FDIC may be required to
take certain actions if the bank or state savings association commenced
operations or experienced a change in control within the previous 24-
month period, or the bank or state savings association experienced
extraordinary growth during the previous 18-month period.
(2) Extraordinary growth. For purposes of paragraph (d)(1) of this
section, extraordinary growth means an increase in assets of more than
7.5 percent during any quarter within the 18-month period preceding the
issuance of a request for submission of a compliance plan, by a bank or
state savings association that is not well capitalized for purposes of
section 38 of the FDI Act. For purposes of calculating an increase in
assets, assets acquired through merger or acquisition approved pursuant
to the Bank Merger Act (12 U.S.C. 1828(c)) will be excluded.
(e) Amendment of compliance plan. A bank or state savings
association that has filed an approved compliance plan may, after prior
written notice to and approval by the FDIC, amend the plan to reflect a
change in circumstance. Until such time as a proposed amendment has
been approved, the bank or state savings association shall implement
the compliance plan as previously approved.
Sec. 308.304 Issuance of orders to correct deficiencies and to take
or refrain from taking other actions.
(a) Notice of intent to issue order--(1) In general. The FDIC shall
provide a bank or state savings association prior written notice of the
FDIC's intention to issue an order requiring the bank or state savings
association to correct a safety and soundness deficiency or to take or
refrain from taking other actions pursuant to section 39 of the FDI
Act. The bank or state savings association shall have such time to
respond to a proposed order as provided by the FDIC under paragraph (c)
of this section.
(2) Immediate issuance of final order. If the FDIC finds it
necessary in order to carry out the purposes of section 39 of the FDI
Act, the FDIC may, without providing the notice prescribed in paragraph
(a)(1) of this section, issue an order requiring a bank or state
savings association immediately to take actions to correct a safety and
soundness deficiency or take or refrain from taking other actions
pursuant to section 39. A bank or state savings association that is
subject to such an immediately effective order may submit a written
appeal of the order to the FDIC. Such an appeal
[[Page 5057]]
must be received by the FDIC within 14 calendar days of the issuance of
the order, unless the FDIC permits a longer period. The FDIC shall
consider any such appeal, if filed in a timely matter, within 60 days
of receiving the appeal. During such period of review, the order shall
remain in effect unless the FDIC, in its sole discretion, stays the
effectiveness of the order.
(b) Contents of notice. A notice of intent to issue an order shall
include:
(1) A statement of the safety and soundness deficiency or
deficiencies that have been identified at the bank or state savings
association;
(2) A description of any restrictions, prohibitions, or affirmative
actions that the FDIC proposes to impose or require;
(3) The proposed date when such restrictions or prohibitions would
be effective or the proposed date for completion of any required
action; and
(4) The date by which the bank or state savings association subject
to the order may file with the FDIC a written response to the notice.
(c) Response to notice--(1) Time for response. A bank or state
savings association may file a written response to a notice of intent
to issue an order within the time period set by the FDIC. Such a
response must be received by the FDIC within 14 calendar days from the
date of the notice unless the FDIC determines that a different period
is appropriate in light of the safety and soundness of the bank or
state savings association or other relevant circumstances.
(2) Contents of response. The response should include:
(i) An explanation why the action proposed by the FDIC is not an
appropriate exercise of discretion under section 39;
(ii) Any recommended modification of the proposed order; and
(iii) Any other relevant information, mitigating circumstances,
documentation, or other evidence in support of the position of the bank
or state savings association regarding the proposed order.
(d) Agency consideration of response. After considering the
response, the FDIC may:
(1) Issue the order as proposed or in modified form;
(2) Determine not to issue the order and so notify the bank or
state savings association; or
(3) Seek additional information or clarification of the response
from the bank or state savings association, or any other relevant
source.
(e) Failure to file response. Failure by a bank or state savings
association to file with the FDIC, within the specified time period, a
written response to a proposed order shall constitute a waiver of the
opportunity to respond and shall constitute consent to the issuance of
the order.
(f) Request for modification of rescission of order. Any bank or
state savings association that is subject to an order under this
subpart may, upon a change in circumstances, request in writing that
the FDIC reconsider the terms of the order, and may propose that the
order be rescinded or modified. Unless otherwise ordered by the FDIC,
the order shall continue in place while such request is pending before
the FDIC.
Sec. 308.305 Enforcement of orders.
(a) Judicial remedies. Whenever a bank or state savings association
fails to comply with an order issued under section 39, the FDIC may
seek enforcement of the order in the appropriate United States district
court pursuant to section 8(i)(1) of the FDI Act.
(b) Failure to comply with order. Pursuant to section 8(i)(2)(A) of
the FDI Act, the FDIC may assess a civil money penalty against any bank
or state savings association that violates or otherwise fails to comply
with any final order issued under section 39 and against any
institution-affiliated party who participates in such violation or
noncompliance.
(c) Other enforcement action. In addition to the actions described
in paragraphs (a) and (b) of this section, the FDIC may seek
enforcement of the provisions of section 39 or this part through any
other judicial or administrative proceeding authorized by law.
0
3. Revise part 364 to read as follows:
PART 364--STANDARDS FOR SAFETY AND SOUNDNESS
Sec.
364.100 Purpose.
364.101 Standards for safety and soundness.
Appendix A to Part 364--Interagency Guidelines Establishing
Standards for Safety and Soundness
Appendix B to Part 364--Interagency Guidelines Establishing
Information Security Standards
Authority: 12 U.S.C. 1818 and 1819 (Tenth), 1831p-1; 15 U.S.C.
1681b, 1681s, 1681w, 6801(b), 6805(b)(1).
Sec. 364.100 Purpose.
Section 39 of the Federal Deposit Insurance Act requires the
Federal Deposit Insurance Corporation to establish safety and soundness
standards. Pursuant to section 39, this part establishes safety and
soundness standards by guideline.
Sec. 364.101 Standards for safety and soundness.
(a) General standards. The Interagency Guidelines Establishing
Standards for Safety and Soundness prescribed pursuant to section 39 of
the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), as set forth as
appendix A to this part, apply to all insured state nonmember banks, to
state-licensed insured branches of foreign banks, that are subject to
the provisions of section 39 of the Federal Deposit Insurance Act, and
to state savings associations (in aggregate, bank or banks and savings
association or savings associations).
(b) Interagency Guidelines Establishing Information Security
Standards. The Interagency Guidelines Establishing Information Security
Standards prescribed pursuant to section 39 of the Federal Deposit
Insurance Act (12 U.S.C. 1831p-1), and sections 501 and 505(b) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6801, 6805(b)), and with respect to
the proper disposal of consumer information requirements pursuant to
section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w), as set
forth in appendix B to this part, apply to all insured state nonmember
banks, insured state licensed branches of foreign banks, any
subsidiaries of such entities (except brokers, dealers, persons
providing insurance, investment companies, and investment advisers),
and to state savings associations. The interagency regulations and
guidelines on identity theft detection, prevention, and mitigation
prescribed pursuant to section 114 of the Fair and Accurate Credit
Transactions Act of 2003, 15 U.S.C. 1681m(e), are set forth in
Sec. Sec. 334.90, 334.91, and Appendix J of part 334.
Appendix A to Part 364--Interagency Guidelines Establishing Standards
for Safety and Soundness
Table of Contents
I. Introduction.
A. Preservation of existing authority.
B. Definitions.
II. Operational and Managerial Standards.
A. Internal controls and information systems.
B. Internal audit system.
C. Loan documentation.
D. Credit underwriting.
E. Interest rate exposure.
F. Asset growth.
G. Asset quality.
H. Earnings.
I. Compensation, fees and benefits.
III. Prohibition on Compensation That Constitutes an Unsafe and
Unsound Practice.
A. Excessive compensation.
[[Page 5058]]
B. Compensation leading to material financial loss.
I. Introduction
i. Section 39 of the Federal Deposit Insurance Act\1\ (FDI Act)
requires each Federal banking agency (collectively, the agencies) to
establish certain safety and soundness standards by regulation or by
guidelines for all insured depository institutions. Under section
39, the agencies must establish three types of standards: (1)
Operational and managerial standards; (2) compensation standards;
and (3) such standards relating to asset quality, earnings, and
stock valuation as they determine to be appropriate.
ii. Section 39(a) requires the agencies to establish operational
and managerial standards relating to: (1) Internal controls,
information systems and internal audit systems, in accordance with
section 36 of the FDI Act (12 U.S.C. 1831m); (2) loan documentation;
(3) credit underwriting; (4) interest rate exposure; (5) asset
growth; and (6) compensation, fees, and benefits, in accordance with
subsection (c) of section 39. Section 39(b) requires the agencies to
establish standards relating to asset quality, earnings, and stock
valuation that the agencies determine to be appropriate.
iii. Section 39(c) requires the agencies to establish standards
prohibiting as an unsafe and unsound practice any compensatory
arrangement that would provide any executive officer, employee,
director, or principal shareholder of the institution with excessive
compensation, fees or benefits and any compensatory arrangement that
could lead to material financial loss to an institution. Section
39(c) also requires that the agencies establish standards that
specify when compensation is excessive.
iv. If an agency determines that an institution fails to meet
any standard established by guidelines under subsection (a) or (b)
of section 39, the agency may require the institution to submit to
the agency an acceptable plan to achieve compliance with the
standard. In the event that an institution fails to submit an
acceptable plan within the time allowed by the agency or fails in
any material respect to implement an accepted plan, the agency must,
by order, require the institution to correct the deficiency. The
agency may, and in some cases must, take other supervisory actions
until the deficiency has been corrected.
v. The agencies have adopted amendments to their rules and
regulations to establish deadlines for submission and review of
compliance plans.\2\
vi. The following Guidelines set out the safety and soundness
standards that the agencies use to identify and address problems at
insured depository institutions before capital becomes impaired. The
agencies believe that the standards adopted in these Guidelines
serve this end without dictating how institutions must be managed
and operated. These standards are designed to identify potential
safety and soundness concerns and ensure that action is taken to
address those concerns before they pose a risk to the Deposit
Insurance Fund.
A. Preservation of Existing Authority
Neither section 39 nor these Guidelines in any way limits the
authority of the agencies to address unsafe or unsound practices,
violations of law, unsafe or unsound conditions, or other practices.
Action under section 39 and these Guidelines may be taken
independently of, in conjunction with, or in addition to any other
enforcement action available to the agencies. Nothing in these
Guidelines limits the authority of the FDIC pursuant to section
38(i)(2)(F) of the FDI Act (12 U.S.C. 1831(o)) and Part 325 of Title
12 of the Code of Federal Regulations.
B. Definitions
1. In general. For purposes of these Guidelines, except as
modified in the Guidelines or unless the context otherwise requires,
the terms used have the same meanings as set forth in sections 3 and
39 of the FDI Act (12 U.S.C. 1813 and 1831p-1).
2. Board of directors, in the case of a state-licensed insured
branch of a foreign bank and in the case of a federal branch of a
foreign bank, means the managing official in charge of the insured
foreign branch.
3. Compensation means all direct and indirect payments or
benefits, both cash and non-cash, granted to or for the benefit of
any executive officer, employee, director, or principal shareholder,
including but not limited to payments or benefits derived from an
employment contract, compensation or benefit agreement, fee
arrangement, perquisite, stock option plan, postemployment benefit,
or other compensatory arrangement.
4. Director shall have the meaning described in 12 CFR
215.2(d).\3\
5. Executive officer shall have the meaning described in 12 CFR
215.2(e).\4\
6. Principal shareholder shall have the meaning described in 12
CFR 215.2(m).\5\
II. Operational and Managerial Standards
A. Internal controls and information systems. An institution
should have internal controls and information systems that are
appropriate to the size of the institution and the nature, scope and
risk of its activities and that provide for:
1. An organizational structure that establishes clear lines of
authority and responsibility for monitoring adherence to established
policies;
2. Effective risk assessment;
3. Timely and accurate financial, operational and regulatory
reports;
4. Adequate procedures to safeguard and manage assets; and
5. Compliance with applicable laws and regulations.
B. Internal audit system. An institution should have an internal
audit system that is appropriate to the size of the institution and
the nature and scope of its activities and that provides for:
1. Adequate monitoring of the system of internal controls
through an internal audit function. For an institution whose size,
complexity or scope of operations does not warrant a full scale
internal audit function, a system of independent reviews of key
internal controls may be used;
2. Independence and objectivity;
3. Qualified persons;
4. Adequate testing and review of information systems;
5. Adequate documentation of tests and findings and any
corrective actions;
6. Verification and review of management actions to address
material weaknesses; and
7. Review by the institution's audit committee or board of
directors of the effectiveness of the internal audit systems.
C. Loan documentation. An institution should establish and
maintain loan documentation practices that:
1. Enable the institution to make an informed lending decision
and to assess risk, as necessary, on an ongoing basis;
2. Identify the purpose of a loan and the source of repayment,
and assess the ability of the borrower to repay the indebtedness in
a timely manner;
3. Ensure that any claim against a borrower is legally
enforceable;
4. Demonstrate appropriate administration and monitoring of a
loan; and
5. Take account of the size and complexity of a loan.
D. Credit underwriting. An institution should establish and
maintain prudent credit underwriting practices that:
1. Are commensurate with the types of loans the institution will
make and consider the terms and conditions under which they will be
made;
2. Consider the nature of the markets in which loans will be
made;
3. Provide for consideration, prior to credit commitment, of the
borrower's overall financial condition and resources, the financial
responsibility of any guarantor, the nature and value of any
underlying collateral, and the borrower's character and willingness
to repay as agreed;
4. Establish a system of independent, ongoing credit review and
appropriate communication to management and to the board of
directors;
5. Take adequate account of concentration of credit risk; and
6. Are appropriate to the size of the institution and the nature
and scope of its activities.
E. Interest rate exposure. An institution should:
1. Manage interest rate risk in a manner that is appropriate to
the size of the institution and the complexity of its assets and
liabilities; and
2. Provide for periodic reporting to management and the board of
directors regarding interest rate risk with adequate information for
management and the board of directors to assess the level of risk.
F. Asset growth. An institution's asset growth should be prudent
and consider:
1. The source, volatility and use of the funds that support
asset growth;
2. Any increase in credit risk or interest rate risk as a result
of growth; and
3. The effect of growth on the institution's capital.
G. Asset quality. An insured depository institution should
establish and maintain a system that is commensurate with the
institution's size and the nature and scope of its operations to
identify problem assets and prevent deterioration in those assets.
The institution should:
[[Page 5059]]
1. Conduct periodic asset quality reviews to identify problem
assets;
2. Estimate the inherent losses in those assets and establish
reserves that are sufficient to absorb estimated losses;
3. Compare problem asset totals to capital;
4. Take appropriate corrective action to resolve problem assets;
5. Consider the size and potential risks of material asset
concentrations; and
6. Provide periodic asset reports with adequate information for
management and the board of directors to assess the level of asset
risk.
H. Earnings. An insured depository institution should establish
and maintain a system that is commensurate with the institution's
size and the nature and scope of its operations to evaluate and
monitor earnings and ensure that earnings are sufficient to maintain
adequate capital and reserves. The institution should:
1. Compare recent earnings trends relative to equity, assets, or
other commonly used benchmarks to the institution's historical
results and those of its peers;
2. Evaluate the adequacy of earnings given the size, complexity,
and risk profile of the institution's assets and operations;
3. Assess the source, volatility, and sustainability of
earnings, including the effect of nonrecurring or extraordinary
income or expense;
4. Take steps to ensure that earnings are sufficient to maintain
adequate capital and reserves after considering the institution's
asset quality and growth rate; and
5. Provide periodic earnings reports with adequate information
for management and the board of directors to assess earnings
performance.
I. Compensation, fees and benefits. An institution should
maintain safeguards to prevent the payment of compensation, fees,
and benefits that are excessive or that could lead to material
financial loss to the institution.
III. Prohibition on Compensation That Constitutes an Unsafe and Unsound
Practice
A. Excessive Compensation
Excessive compensation is prohibited as an unsafe and unsound
practice. Compensation shall be considered excessive when amounts
paid are unreasonable or disproportionate to the services performed
by an executive officer, employee, director, or principal
shareholder, considering the following:
1. The combined value of all cash and noncash benefits provided
to the individual;
2. The compensation history of the individual and other
individuals with comparable expertise at the institution;
3. The financial condition of the institution;
4. Comparable compensation practices at comparable institutions,
based upon such factors as asset size, geographic location, and the
complexity of the loan portfolio or other assets;
5. For postemployment benefits, the projected total cost and
benefit to the institution;
6. Any connection between the individual and any fraudulent act
or omission, breach of trust or fiduciary duty, or insider abuse
with regard to the institution; and
7. Any other factors the agencies determine to be relevant.
B. Compensation Leading to Material Financial Loss
Compensation that could lead to material financial loss to an
institution is prohibited as an unsafe and unsound practice.
\1\ Section 39 of the Federal Deposit Insurance Act (12 U.S.C.
1831p-1) was added by section 132 of the Federal Deposit Insurance
Corporation Improvement Act of 1991 (FDICIA), Pub. L. 102-242, 105
Stat. 2236 (1991), and amended by section 956 of the Housing and
Community Development Act of 1992, Pub. L. 102-550, 106 Stat. 3895
(1992) and section 318 of the Riegle Community Development and
Regulatory Improvement Act of 1994, Pub. L. 103-325, 108 Stat. 2160
(1994).
\2\ For the Office of the Comptroller of the Currency, these
regulations appear at 12 CFR part 30; for the Board of Governors of
the Federal Reserve System, these regulations appear at 12 CFR part
263; and for the Federal Deposit Insurance Corporation, these
regulations appear at 12 CFR part 308, subpart R.
\3\ In applying these definitions for savings associations,
pursuant to 12 U.S.C. 1464, savings associations shall use the terms
``savings association'' and ``insured savings association'' in place
of the terms ``member bank'' and ``insured bank''.
\4\ See footnote 3 in section I.B.4. of this appendix.
\5\ See footnote 3 in section I.B.4. of this appendix.
Appendix B to Part 364--Interagency Guidelines Establishing Information
Security Standards
Table of Contents
I. Introduction
A. Scope
B. Preservation of Existing Authority
C. Definitions
II. Standards for Safeguarding Customer Information
A. Information Security Program
B. Objectives
III. Development and Implementation of Customer Information Security
Program
A. Involve the Board of Directors
B. Assess Risk
C. Manage and Control Risk
D. Oversee Service Provider Arrangements
E. Adjust the Program
F. Report to the Board
G. Implement the Standards
I. Introduction
The Interagency Guidelines Establishing Information Security
Standards (Guidelines) set forth standards pursuant to section 39 of
the Federal Deposit Insurance Act, 12 U.S.C. 1831p-1, and sections
501 and 505(b), 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-
Bliley Act. These Guidelines address standards for developing and
implementing administrative, technical, and physical safeguards to
protect the security, confidentiality, and integrity of customer
information. These Guidelines also address standards with respect to
the proper disposal of consumer information pursuant to sections 621
and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s and
1681w).
A. Scope. The Guidelines apply to customer information
maintained by or on behalf of, and to the disposal of consumer
information by or on the behalf of, entities over which the Federal
Deposit Insurance Corporation (FDIC) has authority. Such entities,
referred to as ``insured depository institution'' or ``institution''
are banks insured by the FDIC (other than members of the Federal
Reserve System), state savings associations insured by the FDIC,
insured state branches of foreign banks, and any subsidiaries of
such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers).
B. Preservation of Existing Authority. Neither section 39 nor
these Guidelines in any way limit the authority of the FDIC to
address unsafe or unsound practices, violations of law, unsafe or
unsound conditions, or other practices. The FDIC may take action
under section 39 and these Guidelines independently of, in
conjunction with, or in addition to, any other enforcement action
available to the FDIC.
C. Definitions. 1. Except as modified in the Guidelines, or
unless the context otherwise requires, the terms used in these
Guidelines have the same meanings as set forth in sections 3 and 39
of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p-1).
2. For purposes of the Guidelines, the following definitions
apply:
a. Board of directors, in the case of a branch or agency of a
foreign bank, means the managing official in charge of the branch or
agency.
b. Consumer Information means any record about an individual,
whether in paper, electronic, or other form, that is a consumer
report or is derived from a consumer report and that is maintained
or otherwise possessed by or on behalf of the institution for a
business purpose. Consumer information also means a compilation of
such records. The term does not include any record that does not
personally identify an individual.
i. Examples: (1) Consumer information includes:
(A) A consumer report that an institution obtains;
(B) information from a consumer report that the institution
obtains from its affiliate after the consumer has been given a
notice and has elected not to opt out of that sharing;
(C) information from a consumer report that the institution
obtains about an individual who applies for but does not receive a
loan, including any loan sought by an individual for a business
purpose;
(D) information from a consumer report that the institution
obtains about an individual who guarantees a loan (including a loan
to a business entity); or
(E) information from a consumer report that the institution
obtains about an employee or prospective employee.
(2) Consumer information does not include:
(A) Aggregate information, such as the mean score, derived from
a group of consumer reports; or
[[Page 5060]]
(B) blind data, such as payment history on accounts that are not
personally identifiable, that may be used for developing credit
scoring models or for other purposes.
c. Consumer report has the same meaning as set forth in the Fair
Credit Reporting Act, 15 U.S.C. 1681a(d).
d. Customer means any customer of the institution as defined in
Sec. 332.3(h) of this chapter.
e. Customer information means any record containing nonpublic
personal information, as defined in Sec. 332.3(n) of this chapter,
about a customer, whether in paper, electronic, or other form, that
is maintained by or on behalf of the institution.
f. Customer information systems means any methods used to
access, collect, store, use, transmit, protect, or dispose of
customer information.
g. Service provider means any person or entity that maintains,
processes, or otherwise is permitted access to customer information
or consumer information through its provision of services directly
to the institution.
II. Standards for Information Security
A. Information Security Program. Each insured depository
institution shall implement a comprehensive written information
security program that includes administrative, technical, and
physical safeguards appropriate to the size and complexity of the
institution and the nature and scope of its activities. While all
parts of the institution are not required to implement a uniform set
of policies, all elements of the information security program must
be coordinated.
B. Objectives. An institution's information security program
shall be designed to:
1. Ensure the security and confidentiality of customer
information;
2. Protect against any anticipated threats or hazards to the
security or integrity of such information;
3. Protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience
to any customer; and
4. Ensure the proper disposal of customer information and
consumer information.
III. Development and Implementation of Information Security Program
A. Involve the Board of Directors. The board of directors or an
appropriate committee of the board of each insured depository
institution shall:
1. Approve the institution's written information security
program; and
2. Oversee the development, implementation, and maintenance of
the institution's information security program, including assigning
specific responsibility for its implementation and reviewing reports
from management.
B. Assess Risk.
Each institution shall:
1. Identify reasonably foreseeable internal and external threats
that could result in unauthorized disclosure, misuse, alteration, or
destruction of customer information or customer information systems.
2. Assess the likelihood and potential damage of these threats,
taking into consideration the sensitivity of customer information.
3. Assess the sufficiency of policies, procedures, customer
information systems, and other arrangements in place to control
risks.
C. Manage and Control Risk. Each institution shall:
1. Design its information security program to control the
identified risks, commensurate with the sensitivity of the
information as well as the complexity and scope of the institution's
activities. Each institution must consider whether the following
security measures are appropriate for the institution and, if so,
adopt those measures the institution concludes are appropriate:
a. Access controls on customer information systems, including
controls to authenticate and permit access only to authorized
individuals and controls to prevent employees from providing
customer information to unauthorized individuals who may seek to
obtain this information through fraudulent means.
b. Access restrictions at physical locations containing customer
information, such as buildings, computer facilities, and records
storage facilities to permit access only to authorized individuals;
c. Encryption of electronic customer information, including
while in transit or in storage on networks or systems to which
unauthorized individuals may have access;
d. Procedures designed to ensure that customer information
system modifications are consistent with the institution's
information security program;
e. Dual control procedures, segregation of duties, and employee
background checks for employees with responsibilities for or access
to customer information;
f. Monitoring systems and procedures to detect actual and
attempted attacks on or intrusions into customer information
systems;
g. Response programs that specify actions to be taken when the
institution suspects or detects that unauthorized individuals have
gained access to customer information systems, including appropriate
reports to regulatory and law enforcement agencies; and
h. Measures to protect against destruction, loss, or damage of
customer information due to potential environmental hazards, such as
fire and water damage or technological failures.
2. Train staff to implement the institution's information
security program.
3. Regularly test the key controls, systems and procedures of
the information security program. The frequency and nature of such
tests should be determined by the institution's risk assessment.
Tests should be conducted or reviewed by independent third parties
or staff independent of those that develop or maintain the security
programs.
4. Develop, implement, and maintain, as part of its information
security program, appropriate measures to properly dispose of
customer information and consumer information in accordance with
each of the requirements of this paragraph III.
D. Oversee Service Provider Arrangements. Each institution
shall:
1. Exercise appropriate due diligence in selecting its service
providers;
2. Require its service providers by contract to implement
appropriate measures designed to meet the objectives of these
Guidelines; and
3. Where indicated by the institution's risk assessment, monitor
its service providers to confirm that they have satisfied their
obligations as required by paragraph D.2. As part of this
monitoring, an institution should review audits, summaries of test
results, or other equivalent evaluations of its service providers.
E. Adjust the Program. Each institution shall monitor, evaluate,
and adjust, as appropriate, the information security program in
light of any relevant changes in technology, the sensitivity of its
customer information, internal or external threats to information,
and the institution's own changing business arrangements, such as
mergers and acquisitions, alliances and joint ventures, outsourcing
arrangements, and changes to customer information systems.
F. Report to the Board. Each institution shall report to its
board or an appropriate committee of the board at least annually.
This report should describe the overall status of the information
security program and the institution's compliance with these
Guidelines. The report, which will vary depending upon the
complexity of each institution's program should discuss material
matters related to its program, addressing issues such as: Risk
assessment; risk management and control decisions; service provider
arrangements; results of testing; security breaches or violations,
and management's responses; and recommendations for changes in the
information security program.
G. Implement the Standards. 1. Effective date. Each institution
must implement an information security program pursuant to these
Guidelines by July 1, 2001.
2. Two-year grandfathering of agreements with service providers.
Until July 1, 2003, a contract that an institution has entered into
with a service provider to perform services for it or functions on
its behalf, satisfies the provisions of paragraph III.D., even if
the contract does not include a requirement that the servicer
maintain the security and confidentiality of customer information as
long as the institution entered into the contract on or before March
5, 2001.
3. Effective date for measures relating to the disposal of
consumer information. Each institution must satisfy these Guidelines
with respect to the proper disposal of consumer information by July
1, 2005.
4. Exception for existing agreements with service providers
relating to the disposal of consumer information. Notwithstanding
the requirement in paragraph III.G.3., an institution's contracts
with its service providers that have access to consumer information
and that may dispose of consumer information, entered into before
July 1, 2005, must comply with the provisions of the Guidelines
relating to the proper disposal of consumer information by July 1,
2006.
[[Page 5061]]
Supplement A to Appendix B to Part 364 Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and Customer
Notice
I. Background
This Guidance \1\ interprets section 501(b) of the Gramm-Leach-
Bliley Act (GLBA) and the Interagency Guidelines Establishing
Information Security Standards (the Security Guidelines) \2\ and
describes response programs, including customer notification
procedures, that a financial institution should develop and
implement to address unauthorized access to or use of customer
information that could result in substantial harm or inconvenience
to a customer. The scope of, and definitions of terms used in, this
Guidance are identical to those of the Security Guidelines. For
example, the term ``customer information'' is the same term used in
the Security Guidelines, and means any record containing nonpublic
personal information about a customer, whether in paper, electronic,
or other form, maintained by or on behalf of the institution.
A. Interagency Security Guidelines
Section 501(b) of the GLBA required the Agencies to establish
appropriate standards for financial institutions subject to their
jurisdiction that include administrative, technical, and physical
safeguards, to protect the security and confidentiality of customer
information. Accordingly, the Agencies issued Security Guidelines
requiring every financial institution to have an information
security program designed to:
1. Ensure the security and confidentiality of customer
information;
2. Protect against any anticipated threats or hazards to the
security or integrity of such information; and
3. Protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience
to any customer.
B. Risk Assessment and Controls
1. The Security Guidelines direct every financial institution to
assess the following risks, among others, when developing its
information security program:
a. Reasonably foreseeable internal and external threats that
could result in unauthorized disclosure, misuse, alteration, or
destruction of customer information or customer information systems;
b. The likelihood and potential damage of threats, taking into
consideration the sensitivity of customer information; and
c. The sufficiency of policies, procedures, customer information
systems, and other arrangements in place to control risks.\3\
2. Following the assessment of these risks, the Security
Guidelines require a financial institution to design a program to
address the identified risks. The particular security measures an
institution should adopt will depend upon the risks presented by the
complexity and scope of its business. At a minimum, the financial
institution is required to consider the specific security measures
enumerated in the Security Guidelines,\4\ and adopt those that are
appropriate for the institution, including:
a. Access controls on customer information systems, including
controls to authenticate and permit access only to authorized
individuals and controls to prevent employees from providing
customer information to unauthorized individuals who may seek to
obtain this information through fraudulent means;
b. Background checks for employees with responsibilities for
access to customer information; and
c. Response programs that specify actions to be taken when the
financial institution suspects or detects that unauthorized
individuals have gained access to customer information systems,
including appropriate reports to regulatory and law enforcement
agencies.\5\
C. Service Providers
The Security Guidelines direct every financial institution to
require its service providers by contract to implement appropriate
measures designed to protect against unauthorized access to or use
of customer information that could result in substantial harm or
inconvenience to any customers.\6\
II. Response Program
Millions of Americans, throughout the country, have been victims
of identity theft.\7\ Identity thieves misuse personal information
they obtain from a number of sources, including financial
institutions, to perpetrate identity theft. Therefore, financial
institutions should take preventative measures to safeguard customer
information against attempts to gain unauthorized access to the
information. For example, financial institutions should place access
controls on customer information systems and conduct background
checks for employees who are authorized to access customer
information.\8\ However, every financial institution should also
develop and implement a risk-based response program to address
incidents of unauthorized access to customer information in customer
information systems \9\ that occur nonetheless. A response program
should be a key part of an institution's information security
program.\10\ The program should be appropriate to the size and
complexity of the institution and the nature and scope of its
activities.
In addition, each institution should be able to address
incidents of unauthorized access to customer information in customer
information systems maintained by its domestic and foreign service
providers. Therefore, consistent with the obligations in the
Guidelines that relate to these arrangements, and with existing
guidance on this topic issued by the Agencies,\11\ an institution's
contract with its service provider should require the service
provider to take appropriate actions to address incidents of
unauthorized access to the financial institution's customer
information, including notification to the institution as soon as
possible of any such incident, to enable the institution to
expeditiously implement its response program.
A. Components of a Response Program
1. At a minimum, an institution's response program should
contain procedures for the following:
a. Assessing the nature and scope of an incident, and
identifying what customer information systems and types of customer
information have been accessed or misused;
b. Notifying its primary Federal regulator as soon as possible
when the institution becomes aware of an incident involving
unauthorized access to or use of sensitive customer information, as
defined below;
c. Consistent with the Agencies' Suspicious Activity Report
(``SAR'') regulations,\12\ notifying appropriate law enforcement
authorities, in addition to filing a timely SAR in situations
involving Federal criminal violations requiring immediate attention,
such as when a reportable violation is ongoing;
d. Taking appropriate steps to contain and control the incident
to prevent further unauthorized access to or use of customer
information, for example, by monitoring, freezing, or closing
affected accounts, while preserving records and other evidence;\13\
and
e. Notifying customers when warranted.
2. Where an incident of unauthorized access to customer
information involves customer information systems maintained by an
institution's service providers, it is the responsibility of the
financial institution to notify the institution's customers and
regulator. However, an institution may authorize or contract with
its service provider to notify the institutions' customers or
regulator on its behalf.
III. Customer Notice
Financial institutions have an affirmative duty to protect their
customers' information against unauthorized access or use. Notifying
customers of a security incident involving the unauthorized access
or use of the customer's information in accordance with the standard
set forth below is a key part of that duty. Timely notification of
customers is important to manage an institution's reputation risk.
Effective notice also may reduce an institution's legal risk, assist
in maintaining good customer relations, and enable the institution's
customers to take steps to protect themselves against the
consequences of identity theft. When customer notification is
warranted, an institution may not forgo notifying its customers of
an incident because the institution believes that it may be
potentially embarrassed or inconvenienced by doing so.
A. Standard for Providing Notice
When a financial institution becomes aware of an incident of
unauthorized access to sensitive customer information, the
institution should conduct a reasonable investigation to promptly
determine the likelihood that the information has been or will be
misused. If the institution determines that misuse of its
information about a customer has occurred or is reasonably possible,
it should notify the affected customer as soon as possible. Customer
notice may be delayed if an appropriate law enforcement agency
determines that notification will interfere with a criminal
investigation and provides the institution with a written request
for the delay. However, the institution should notify its customers
as soon as notification will no longer interfere with the
investigation.
[[Page 5062]]
1. Sensitive Customer Information
Under the Guidelines, an institution must protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer.
Substantial harm or inconvenience is most likely to result from
improper access to sensitive customer information because this type
of information is most likely to be misused, as in the commission of
identity theft. For purposes of this Guidance, sensitive customer
information means a customer's name, address, or telephone number,
in conjunction with the customer's social security number, driver's
license number, account number, credit or debit card number, or a
personal identification number or password that would permit access
to the customer's account. Sensitive customer information also
includes any combination of components of customer information that
would allow someone to log onto or access the customer's account,
such as user name or password or password and account number.
2. Affected Customers
If a financial institution, based upon its investigation, can
determine from its logs or other data precisely which customers'
information has been improperly accessed, it may limit notification
to those customers with regard to whom the institution determines
that misuse of their information has occurred or is reasonably
possible. However, there may be situations where the institution
determines that a group of files has been accessed improperly, but
is unable to identify which specific customers' information has been
accessed. If the circumstances of the unauthorized access lead the
institution to determine that misuse of the information is
reasonably possible, it should notify all customers in the group.
B. Content of Customer Notice
1. Customer notice should be given in a clear and conspicuous
manner. The notice should describe the incident in general terms and
the type of customer information that was the subject of
unauthorized access or use. It also should generally describe what
the institution has done to protect the customers' information from
further unauthorized access. In addition, it should include a
telephone number that customers can call for further information and
assistance.\14\ The notice also should remind customers of the need
to remain vigilant over the next twelve to twenty-four months, and
to promptly report incidents of suspected identify theft to the
institution. The notice should include the following additional
items, when appropriate:
a. A recommendation that the customer review account statements
and immediately report any suspicious activity to the institution;
b. A description of fraud alerts and an explanation of how the
customer may place a fraud alert in the customer's consumer reports
to put the customer's creditors on notice that the customer may be a
victim of fraud;
c. A recommendation that the customer periodically obtain credit
reports from each nationwide credit reporting agency and have
information relating to fraudulent transactions deleted;
d. An explanation of how the customer may obtain a credit report
free of charge; and
e. Information about the availability of the FTC's online
guidance regarding steps a consumer can take to protect against
identity theft. The notice should encourage the customer to report
any incidents of identity theft to the FTC, and should provide the
FTC's Web site address and toll-free telephone number that customers
may use to obtain the identity theft guidance and report suspected
incidents of identity theft.\15\
2. The Agencies encourage financial institutions to notify the
nationwide consumer reporting agencies prior to sending notices to a
large number of customers that include contact information for the
reporting agencies.
C. Delivery of Customer Notice
Customer notice should be delivered in any manner designed to
ensure that a customer can reasonably be expected to receive it. For
example, the institution may choose to contact all customers
affected by telephone or by mail, or by electronic mail for those
customers for whom it has a valid email address and who have agreed
to receive communications electronically.
\1\ This Guidance was jointly issued by the Board of Governors
of the Federal Reserve System (Board), the Federal Deposit Insurance
Corporation (FDIC), the Office of the Comptroller of the Currency
(OCC), and the Office of Thrift Supervision (OTS). Pursuant to 12
U.S.C. 5412, the OTS is no longer a party to this Guidance.
\2\ 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2 and
part 225, app. F (Board); and 12 CFR part 364, app. B (FDIC). The
``Interagency Guidelines Establishing Information Security
Standards'' were formerly known as ``The Interagency Guidelines
Establishing Standards for Safeguarding Customer Information.''
\3\ See Security Guidelines, III.B.
\4\ See Security Guidelines, III.C.
\5\ See Security Guidelines, III.C.
\6\ See Security Guidelines, II.B, and III.D. Further, the
Agencies note that, in addition to contractual obligations to a
financial institution, a service provider may be required to
implement its own comprehensive information security program in
accordance with the Safeguards Rule promulgated by the Federal Trade
Commission (FTC), 12 CFR part 314.
\7\ The FTC estimates that nearly 10 million Americans
discovered they were victims of some form of identity theft in 2002.
See The Federal Trade Commission. Identity Theft Survey Report
(September 2003), available at https://www.ftc.gov/os/2003/09/synovatereport.pdf.
\8\ Institutions should also conduct background checks of
employees to ensure that the institution does not violate 12 U.S.C.
1829, which prohibits an institution from hiring an individual
convicted of certain criminal offenses or who is subject to a
prohibition order under 12 U.S.C. 1818(e)(6).
\9\ Under the Guidelines, an institution's customer information
systems consist of all of the methods used to access, collect,
store, use, transmit, protect, or dispose of customer information,
including the systems maintained by its service providers. See
Security Guidelines, I.C.2.d.
\10\ See FFIEC Information Technology Examination Handbook,
Information Security Booklet, Dec. 2002 available at https://ithandbook.ffiec.gov/it-booklets/information-security.aspx Federal
Reserve SR 97-32, Sound Practice Guidance for Information Security
for Networks, Dec. 4, 1997; OCC Bulletin 2000-14, ``Infrastructure
Threats--Intrusion Risks'' (May 15, 2000), for additional guidance
on preventing, detecting, and responding to intrusions into
financial institutions computer systems.
\11\ See Federal Reserve SR Ltr. 13-19, Guidance on Managing
Outsourcing Risk, Dec. 5, 2013; OCC Bulletin 2013-29, ``Third-Party
Relationships--Risk Management Guidance,'' Oct. 30, 2013; and FDIC
FIL 44-08, Guidance for Managing Third Party Risk, June 6, 2008 and
FIL 68-99, Risk Assessment Tools and Practices for Information
System Security, July 7, 1999.
\12\ An institution's obligations to file a SAR is set out in
the Agencies' SAR regulations and Agency guidance. See, for example,
12 CFR 21.11 (national banks, Federal branches and agencies); 12 CFR
163.180 (Federal savings associations); 12 CFR 208.62 (State member
banks); 12 CFR 211.5(k) (Edge and agreement corporations); 12 CFR
211.24(f) (uninsured State branches and agencies of foreign banks);
12 CFR 225.4(f) (bank holding companies and their nonbank
subsidiaries); and 12 CFR part 353 (State non-member banks).
National banks must file SARs in connection with computer intrusions
and other computer crimes. See OCC Bulletin 2000-14,
``Infrastructure Threats--Intrusion Risks'' (May 15, 2000); Advisory
Letter 97-9, ``Reporting Computer Related Crimes'' (November 19,
1997) (general guidance still applicable though instructions for new
SAR form published in 65 FR 1229, 1230 (January 7, 2000)). See also
Federal Reserve SR 01-11, Identity Theft and Pretext Calling, Apr.
26, 2001.
\13\ See FFIEC Information Technology Examination Handbook,
Information Security Booklet, Dec. 2002, pp. 68-74.
\14\ The institution should, therefore, ensure that it has
reasonable policies and procedures in place, including trained
personnel, to respond appropriately to customer inquiries and
requests for assistance.
\15\ Currently, the FTC Web site for the ID Theft brochure and
the FTC Hotline phone number are https://www.consumer.gov/idtheft and
1-877-IDTHEFT. The institution may also refer customers to any
materials developed pursuant to section 151(b) of the FACT Act
(educational materials developed by the FTC to teach the public how
to prevent identity theft).
PART 391--FORMER OFFICE OF THRIFT SUPERVISION REGULATIONS
0
4. The authority citation for part 391 is revised to read as follows:
Authority: 12 U.S.C. 1819 (Tenth).
Subpart A also issued under 12 U.S.C. 1462a; 1463; 1464; 1828;
1831p-1; 1881-1884; 15 U.S.C. 1681w; 15 U.S.C. 6801; 6805.
[[Page 5063]]
Subpart C also issued under 12 U.S.C. 1462a; 1463; 1464; 1828;
1831p-1; and 1881-1884; 15 U.S.C. 1681m; 1681w.
Subpart D also issued under 12 U.S.C. 1462; 1462a; 1463; 1464;
42 U.S.C. 4012a; 4104a; 4104b; 4106; 4128.
Subpart E also issued under 12 U.S.C. 1467a; 1468; 1817; 1831i.
Subpart B--[Removed and Reserved]
0
5. Remove and reserve subpart B consisting of Sec. Sec. 391.10 through
391.14, appendix A to subpart B of part 391, and appendix B to subpart
B of part 391.
Dated at Washington, DC, this 21st day of January, 2015.
By order of the Board of Directors.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 2015-01325 Filed 1-29-15; 8:45 am]
BILLING CODE 6714-01-P