Removal of Transferred OTS Regulations Regarding Minimum Security Procedures Amendments to FDIC Regulations, 13839-13843 [2018-06161]

Agencies

• FEDERAL DEPOSIT INSURANCE CORPORATION

[Federal Register Volume 83, Number 63 (Monday, April 2, 2018)]
[Rules and Regulations]
[Pages 13839-13843]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-06161]


=======================================================================
-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 326 and 391

RIN 3064-AE47


Removal of Transferred OTS Regulations Regarding Minimum Security 
Procedures Amendments to FDIC Regulations

AGENCY: Federal Deposit Insurance Corporation.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Deposit Insurance Corporation (``FDIC'') is 
adopting a final rule to rescind and remove a part from the Code of 
Federal Regulations entitled ``Security Procedures'' and to amend FDIC 
regulations to make the removed Office of Thrift Supervision (``OTS'') 
regulations applicable to State savings associations.

DATES: The final rule is effective on May 2, 2018.

FOR FURTHER INFORMATION CONTACT: Lauren Whitaker, Senior Attorney, 
Consumer Compliance Section, Legal Division (202) 898-3872; Karen Jones 
Currie, Senior Examination Specialist, Division of Risk Management and 
Supervision (202) 898-3981.

SUPPLEMENTARY INFORMATION: Part 391, subpart A, was included in the 
regulations that were transferred to the FDIC from the Office of Thrift 
Supervision (``OTS'') on July 21, 2011, in connection with the 
implementation of applicable provisions of title III of the Dodd-Frank 
Wall Street Reform and Consumer Protection Act (``Dodd-Frank Act'').\1\ 
With the exception of one provision (Sec.  391.5) the requirements for 
State savings associations in part 391, subpart A, are substantively 
identical to the requirements in the FDIC's 12 CFR part 326 (``part 
326''), which is entitled ``Minimum Security Procedures.'' The one 
exception directs savings associations to comply with appendix B to 
subpart B of Interagency Guidelines Establishing Information Security 
Standards (Interagency Guidelines) contained in FDIC rules at part 364, 
appendix B. The FDIC previously revised part 364 to make the 
Interagency Guidelines applicable to both State nonmember banks and 
State savings associations.\2\
---------------------------------------------------------------------------

    \1\ Dodd-Frank Wall Street Reform and Consumer Protection Act, 
Public Law 111-203, 124 Stat. 1376 (2010) (codified at 12 U.S.C. 
5301 et seq.).
    \2\ 80 FR 65907 (Oct. 28, 2015).
---------------------------------------------------------------------------

    The FDIC is adopting a final rule (``Final Rule'') to rescind in 
its entirety part 391, subpart A and to modify the scope of part 326 to 
include State savings associations to conform to and reflect the scope 
of the FDIC's current supervisory responsibilities as the appropriate 
Federal banking agency. The FDIC is also adding definitions of ``FDIC-
supervised insured depository institution or institution'' and ``State 
savings association.'' Upon removal of part 391, subpart A, the 
Security Procedures, regulations applicable for all insured depository 
institutions for which the FDIC has been designated the appropriate 
Federal banking agency will be found at 12 CFR part 326.

I. Background

The Dodd-Frank Act

    The Dodd-Frank Act provided for a substantial reorganization of the 
regulation of State and Federal savings associations and their holding 
companies. Beginning July 21, 2011, the transfer date established by 
section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the 
powers, duties, and functions formerly performed by the OTS were 
divided among the FDIC, as to State savings associations, the Office of 
the Comptroller of the Currency (``OCC''), as to Federal savings 
associations, and the Board of Governors of the Federal Reserve System 
(``FRB''), as to savings and loan holding companies. Section 316(b) of 
the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provides the manner 
of treatment for all orders, resolutions, determinations, regulations, 
and advisory materials that had been issued, made, prescribed, or 
allowed to become effective by the OTS. This section provides that if 
such materials were in effect on the day before the transfer date, they 
continue to be in effect and are enforceable by or against the 
appropriate successor agency until they are modified, terminated, set 
aside, or superseded in accordance with applicable law by such 
successor agency, by any court of competent jurisdiction, or by 
operation of law.
    Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 
5414(c), further directed the FDIC and the OCC to consult with one 
another and to publish a list of the continued OTS regulations that 
would be enforced by the FDIC and

[[Page 13840]]

the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors 
approved a ``List of OTS Regulations to be Enforced by the OCC and the 
FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer 
Protection Act.'' This list was published by the FDIC and the OCC as a 
Joint Notice in the Federal Register on July 6, 2011.\3\
---------------------------------------------------------------------------

    \3\ 76 FR 39247 (July 6, 2011).
---------------------------------------------------------------------------

    Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, 
codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking 
authority relating to both State and Federal savings associations, 
nothing in the Dodd-Frank Act affected the FDIC's existing authority to 
issue regulations under the FDI Act and other laws as the ``appropriate 
Federal banking agency'' or under similar statutory terminology. 
Section 312(c) of the Dodd-Frank Act amended the definition of 
``appropriate Federal banking agency'' contained in section 3(q) of the 
FDI Act, 12 U.S.C. 1813(q), to add State savings associations to the 
list of entities for which the FDIC is designated as the ``appropriate 
Federal banking agency.'' As a result, when the FDIC acts as the 
designated ``appropriate Federal banking agency'' (or under similar 
terminology) for State savings associations, as it does here, the FDIC 
is authorized to issue, modify, and rescind regulations involving such 
associations, as well as for State nonmember banks and insured branches 
of foreign banks.
    As noted, on June 14, 2011, pursuant to this authority, the FDIC's 
Board of Directors reissued and redesignated certain transferring 
regulations of the former OTS. These transferred OTS regulations were 
published as new FDIC regulations in the Federal Register on August 5, 
2011.\4\ When it republished the transferred OTS regulations as new 
FDIC regulations, the FDIC specifically noted that its staff would 
evaluate the transferred OTS rules, and might later recommend 
incorporating the transferred OTS regulations into other FDIC rules, 
amending them, or rescinding them as appropriate.
---------------------------------------------------------------------------

    \4\ 76 FR 47652 (Aug. 5, 2011).
---------------------------------------------------------------------------

    One of the OTS rules transferred to the FDIC governed OTS oversight 
of minimum security devices and procedures for State savings 
associations. The OTS rule, formerly found at 12 CFR part 568, was 
transferred to the FDIC with only nominal changes, and is now found in 
the FDIC's rules at part 391, subpart A, entitled ``Security 
Procedures.'' Before the transfer of the OTS rules and continuing 
today, the FDIC's rules contained part 326, subpart A, entitled 
``Minimum Security Procedures,'' a rule governing FDIC oversight of 
security devices and procedures to discourage burglaries, robberies, 
and larcenies, and assist law enforcement in the identification and 
apprehension of those who commit such crimes with respect to insured 
depository institutions for which the FDIC has been designated the 
appropriate Federal banking agency. One provision in part 391, subpart 
A, namely Sec.  391.5, is not contained in part 326, subpart A. It 
directs savings associations and certain subsidiaries to comply with 
the Interagency Guidelines Establishing Information Security Standards, 
which were adopted jointly by the OTS and the FDIC and other banking 
agencies, and are contained in appendix B to part 364 in FDIC 
regulations.
    After careful review and comparison of part 391, subpart A, and 
part 326, the FDIC is adopting a Final Rule to rescind part 391, 
subpart A, because, as discussed below, it is substantively redundant 
to existing part 326, and simultaneously finalizes the technical 
conforming edits to the FDIC's existing rule.

FDIC's Existing 12 CFR Part 326 and Former OTS's Part 568 (Transferred 
to FDIC's Part 391, Subpart A)

    Section 3 of the Bank Protection Act of 1968 directed the 
appropriate Federal banking agencies and the OTS' predecessor, the 
Federal Home Loan Bank Board (``FHLBB''), to establish minimum security 
standards for banks and savings associations, at reasonable cost, to 
serve as a deterrent to robberies, burglaries, and larcenies, and to 
assist law enforcement in identifying and prosecuting persons who 
commit such acts.\5\ In the initial rulemakings, the agencies consulted 
and cooperated with each other to promote a goal of uniformity where 
practicable. The initial minimum security rules were simultaneously 
issued in January 1969 and were substantively the same.\6\
---------------------------------------------------------------------------

    \5\ 12 U.S.C. 1882.
    \6\ 34 FR 618 (January 16, 1969); 34 FR 621 (January 16, 1969).
---------------------------------------------------------------------------

    In 1991, the minimum security rules were substantially revised to 
reduce unnecessary specificity, remove obsolete requirements, and place 
greater responsibility on the boards of directors of insured financial 
institutions for establishing and ensuring the implementation and 
maintenance of security programs and procedures. The former FHLBB rules 
at 12 CFR part 563a were redesignated as 12 CFR part 568 by the OTS. 
The OTS rules remained substantively the same as the FDIC's rules in 
part 326, subpart A.\7\
---------------------------------------------------------------------------

    \7\ 56 FR 29565 (June 28, 1991); 56 FR 13579 (April 3, 1991).
---------------------------------------------------------------------------

    In 2001, the FDIC, other Federal banking agencies, and the OTS 
issued Interagency Guidelines for Safeguarding Customer Information 
pursuant to section 501 of the Gramm Leach Bliley Act (``Protection of 
Nonpublic Personal Information'').\8\ At the same time, the OTS added a 
provision at the end of its security procedures rules at section 568.5 
directing saving associations and certain subsidiaries to comply with 
appendix B to the Interagency Guidelines. In a preamble footnote, the 
OTS indicated that the reason for the additional provision to its 
minimum security rules was ``[b]ecause information security guidelines 
are similar to physical security procedures.'' \9\ In 2004, following 
enactment of the Fair and Accurate Credit Transactions Act (FACT Act), 
the OTS, FDIC, and other banking agencies revised the Interagency 
Guidelines for Safeguarding Customer Information and renamed them the 
Interagency Guidelines for Establishing Information Security Standards. 
The Interagency Guidelines were located in the FDIC rules at part 364. 
In 2015, the FDIC amended part 364 to, among other reasons, make it 
applicable to State savings associations.\10\ After careful comparison 
of the FDIC's part 326, subpart A, with the transferred OTS rule in 
part 391, subpart A, the FDIC has concluded that the transferred OTS 
rules governing minimum security procedures are substantively 
redundant. Based on the foregoing, the FDIC is adopting a Final Rule to 
rescind and remove from the Code of Federal Regulations the transferred 
OTS rules located at part 391, subpart A, and to make technical 
amendments to part 326, subpart A, to incorporate State savings 
associations.
---------------------------------------------------------------------------

    \8\ 66 FR 8616 (Feb. 1, 2001).
    \9\ Id. at footnote 2.
    \10\ 80 FR 65903 (Oct. 28, 2015).
---------------------------------------------------------------------------

II. The Proposed Rule

    Regarding the functions of the former OTS that were transferred to 
the FDIC, section 316(b)(3) of the Dodd-Frank Act, 12 U.S.C. 
5414(b)(3), in pertinent part, provides that the former OTS's 
regulations will be enforceable by the FDIC until they are modified, 
terminated, set aside, or superseded in accordance with applicable law. 
After reviewing the rules currently found in part 391, subpart A, the 
FDIC issued a Notice of Proposed Rulemaking (``NPR'' or ``Proposed 
Rule''), which proposed to

[[Page 13841]]

(1) rescind part 391, subpart A, in its entirety; (2) modify the scope 
of part 326, subpart A, to include State savings associations and their 
subsidiaries to conform to and reflect the scope of FDIC's current 
supervisory responsibilities as the appropriate Federal banking agency 
for State savings associations; (3) delete the definition of ``insured 
nonmember bank'' and replace it with a definition of ``FDIC-supervised 
insured depository institution or institution,'' which means ``any 
State nonmember insured bank or State savings association for which the 
Federal Deposit Insurance Corporation is the appropriate Federal 
banking agency pursuant to section 3(q) of the Federal Deposit 
Insurance Act (12 U.S.C. 1813(q))''; (4) add a new subsection (i), 
which would define ``State savings association'' as having ``the same 
meaning as in section 3(b)(3) of the Federal Deposit Insurance Act (12 
U.S.C. 1813(b)(3))''; and (5) make conforming technical edits 
throughout, including replacing the term ``bank'' with ``FDIC-
supervised insured depository institution'' or ``institution''. Under 
the Proposed Rule, oversight of minimum security procedures in part 
326, subpart A, would apply to all FDIC-supervised institutions, 
including State savings associations, and part 391, subpart A, would be 
removed because it is largely redundant of the rules found in part 326. 
Rescinding part 391, subpart A, will serve to streamline the FDIC's 
rules and eliminate unnecessary regulations.

III. Comments

    The FDIC issued the NPR with a 60-day comment period, which closed 
on January 3, 2017. The FDIC received no comments on its Proposed Rule, 
and consequently the Final Rule is adopted as proposed without any 
changes.

IV. Explanation of the Final Rule

    As discussed in the NPR, with the exception of one provision (Sec.  
391.5), the requirements for State savings associations in part 391, 
subpart A, are substantively identical to the requirements in the 
FDIC's 12 CFR part 326 (``part 326''). The one exception directs 
savings associations to comply with appendix B to subpart B of 
Interagency Guidelines Establishing Information Security Standards 
(Interagency Guidelines) contained in FDIC rules at part 364, appendix 
B. The FDIC previously revised part 364 to make the Interagency 
Guidelines applicable to both State nonmember banks and State savings 
associations. The designation of part 326 as a single authority 
regarding security standards and procedures will serve to streamline 
the FDIC's rules and eliminate unnecessary regulations. To that effect, 
the Final Rule removes and rescinds 12 CFR part 391, subpart A, in its 
entirety.
    Consistent with the Proposed Rule, the Final Rule modifies the 
scope of part 326, subpart A, to include State savings associations and 
their subsidiaries to conform to and reflect the scope of FDIC's 
current supervisory responsibilities as the appropriate Federal banking 
agency for State savings associations. The Final Rule also deletes the 
definition of ``insured nonmember bank'' and replaces it with a 
definition of ``FDIC-supervised insured depository institution or 
institution,'' which means ``any State nonmember insured bank or State 
savings association for which the Federal Deposit Insurance Corporation 
is the appropriate Federal banking agency pursuant to section 3(q) of 
the Federal Deposit Insurance Act (12 U.S.C. 1813(q)).'' Additionally, 
the Final Rule adds a new subsection (i), which would define ``State 
savings association'' as having ``the same meaning as in section 
3(b)(3) of the Federal Deposit Insurance Act (12 U.S.C. 1813(b)(3)) and 
makes conforming technical edits throughout, including replacing the 
term ``bank'' with ``FDIC-supervised insured depository institution'' 
or ``institution''.

V. Regulatory Analysis and Procedure

A. The Paperwork Reduction Act

    In accordance with the requirements of the Paperwork Reduction Act 
(``PRA'') of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or 
sponsor, and the respondent is not required to respond to, an 
information collection unless it displays a currently valid Office of 
Management and Budget (``OMB'') control number.
    The Final Rule would rescind and remove part 391, subpart A, from 
the FDIC regulations. This rule was transferred with only nominal 
changes to the FDIC from the OTS when the OTS was abolished by title 
III of the Dodd-Frank Act. Part 391, subpart A, is substantively 
similar to the FDIC's existing part 326, subpart A, regarding oversight 
of minimum security procedures for depository institutions with the 
exception of one provision at the end of part 391, subpart A, which 
directs savings associations to comply with Interagency Guidelines, 
which are located in Appendix B to part 364. In 2015, the FDIC proposed 
and finalized revisions to part 364 that made part 364, including the 
Interagency Guidelines in Appendix B, applicable to State savings 
associations as well as State nonmember banks.
    The Final Rule also (1) amends part 326, subpart A to include State 
savings associations and their subsidiaries within its scope; (2) 
defines ``FDIC-supervised insured depository institution or 
institution'' and ``State savings association''; and (3) makes 
conforming technical edits throughout. These measures clarify that 
State savings associations, as well as State nonmember banks, are 
subject to part 326, subpart A. With respect to part 326, subpart A, 
the Final Rule does not revise any existing, or create any new 
information collection pursuant to the PRA. Consequently, no submission 
has been made to the Office of Management and Budget for review.

B. The Regulatory Flexibility Act

    The Regulatory Flexibility Act requires an agency to consider the 
impact that a final rule will have on small entities (defined in 
regulations promulgated by the Small Business Administration to include 
banking organizations with total assets of less than or equal to $550 
million).\11\ However, a regulatory flexibility analysis is not 
required if the agency certifies that the rule will not have a 
significant economic impact on a substantial number of small entities, 
and publishes its certification and a short explanatory Statement in 
the Federal Register together with the rule. For the reasons provided 
below, the FDIC certifies that the Final Rule would not have a 
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------

    \11\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------

    As discussed in the NPR, part 391, subpart A, was transferred from 
OTS part 568, which governed minimum security procedures for depository 
institutions. The initial minimum security rules, though issued 
separately by the agencies, were all published in January 1969. The OTS 
rule, part 568, had been in effect since 1991 and all State savings 
associations were required to comply with it. Because it is 
substantially the same as existing part 326, subpart A of the FDIC's 
rules and therefore redundant, the FDIC is adopting a final rule to 
rescind and remove the transferred regulation now located in part 391, 
subpart A. As a result, all FDIC-supervised institutions--including 
State savings associations and their subsidiaries--would be required to 
comply with the minimum security procedures in part 326, subpart A. 
Because all State savings associations and their subsidiaries have

[[Page 13842]]

been required to comply with nearly identical security procedures rules 
since 1969, the Final Rule would not place additional requirements or 
burdens on any State savings association irrespective of its size. 
Therefore, the Final Rule would not have a significant impact on a 
substantial number of small entities.

C. Small Business Regulatory Enforcement Fairness Act

    The Office of Management and Budget has determined that the Final 
Rule is not a ``major rule'' within the meaning of the Small Business 
Regulatory Enforcement Fairness Act of 1996 (``SBREFA''), 5 U.S.C. 801 
et seq. As required by SBREFA, the FDIC will submit the Final Rule and 
other appropriate reports to Congress and the Government Accountability 
Office for review.

D. Plain Language

    Section 722 of the Gramm-Leach- Bliley Act, codified at 12 U.S.C. 
4809, requires each Federal banking agency to use plain language in all 
of its proposed and final rules published after January 1, 2000. In the 
NPR, the FDIC invited comments on whether the Proposed Rule was clearly 
stated and effectively organized, and how the FDIC might make it easier 
to understand. Although the FDIC did not receive any comments, the FDIC 
sought to present the Final Rule in a simple and straightforward 
manner.

D. The Economic Growth and Regulatory Paperwork Reduction Act

    Under section 2222 of the Economic Growth and Regulatory Paperwork 
Reduction Act of 1996 (``EGRPRA''), the FDIC is required to review all 
of its regulations, at least once every 10 years, in order to identify 
any outdated or otherwise unnecessary regulations imposed on insured 
institutions.\12\ The FDIC, along with the other Federal banking 
agencies, submitted a Joint Report to Congress on March 21, 2017 
(``EGRPRA Report'') discussing how the review was conducted, what has 
been done to date to address regulatory burden, and further measures we 
will take to address issues that were identified.\13\ As noted in the 
EGRPRA Report, the FDIC is continuing to streamline and clarify its 
regulations through the OTS rule integration process. By removing 
outdated or unnecessary regulations, such as part 391, subpart A, and 
modifying the Minimum Security Procedures, this rule complements other 
actions the FDIC has taken, separately and with the other Federal 
banking agencies, to further the EGRPRA mandate.
---------------------------------------------------------------------------

    \12\ Public Law 104-208, 110 Stat. 3009 (1996).
    \13\ 82 FR 15900 (March 31, 2017).
---------------------------------------------------------------------------

E. Riegle Community Development and Regulatory Improvement Act of 1994

    The Riegle Community Development and Regulatory Improvement Act of 
1994 (RCDRIA) requires the FDIC, in determining the effective date and 
administrative compliance requirements for new regulations that impose 
additional reporting, disclosure, or other requirements on insured 
depository institutions, consider, consistent with principles of safety 
and soundness and the public interest, any administrative burdens that 
such regulations would place on depository institutions, including 
small depository institutions, and customers of depository 
institutions, as well as the benefits of such regulations. In addition, 
new regulations and amendments to regulations that impose additional 
reporting, disclosures, or other new requirements on insured depository 
institutions generally must take effect on the first day of a calendar 
quarter that begins on or after the date on which the regulations are 
published in final form.\14\ The final rule includes no new reporting, 
disclosure, or other new requirements on insured depository 
institutions. Therefore, the final rule is not subject to the 
requirements of the statute.
---------------------------------------------------------------------------

    \14\ 12 U.S.C. 4802.
---------------------------------------------------------------------------

List of Subjects

12 CFR Part 326

    Banks, Banking, Minimum security procedures, Savings associations.

12 CFR Part 391

    Security procedures.

Authority and Issuance

    For the reasons stated in the preamble, the Board of Directors of 
the Federal Deposit Insurance Corporation amends 12 CFR parts 326 and 
391 as follows:

PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY 
ACT 1 COMPLIANCE
---------------------------------------------------------------------------

    \1\ In its original form, subchapter II of chapter 53 of title 
31, U.S.C. was part of Public Law 91-508 which requires 
recordkeeping for and reporting of currency transactions by banks 
and others and is commonly known as the Bank Secrecy Act.

0
1. The authority citation for part 326 continues to read as follows:

    Authority:  12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 
1881-1883; 31 U.S.C. 5311-5314 and 5316-5332.2.


0
2. Revise subpart A to read as follows:

Subpart A--Minimum Security Procedures

Sec.
326.0 Authority, purpose, and scope.
326.1 Definitions.
326.2 Designation of security officer.
326.3 Security program.
326.4 Reports.


Sec.  326.0   Authority, purpose, and scope.

    (a) This part is issued by the Federal Deposit Insurance 
Corporation (``FDIC'') pursuant to section 3 of the Bank Protection Act 
of 1968 (12 U.S.C. 1882). It applies to FDIC-supervised insured 
depository institutions. It requires each institution to adopt 
appropriate security procedures to discourage robberies, burglaries, 
and larcenies and to assist in identifying and apprehending persons who 
commit such acts.
    (b) It is the responsibility of the institution's board of 
directors to comply with this part and ensure that a written security 
program for the institution's main office and branches is developed and 
implemented.


Sec.  326.1  Definitions.

    For the purposes of this part--
    (a) The term FDIC-supervised insured depository institution or 
institution means any insured depository institution for which the 
Federal Deposit Insurance Corporation is the appropriate Federal 
banking agency pursuant to section 3(q)(2) of the Federal Deposit 
Insurance Act, 12 U.S.C. 1813(q)(2).
    (b) The term banking office includes any branch of an institution 
and, in the case of an FDIC-supervised insured depository institution; 
it includes the main office of that institution.
    (c) The term branch for an institution chartered under the laws of 
any state of the United States includes any branch institution, branch 
office, branch agency, additional office, or any branch place of 
business located in any state or territory of the United States, 
District of Columbia, Puerto Rico, Guam, American Samoa, the Trust 
Territory of the Pacific Islands, the Northern Mariana Islands or the 
Virgin Islands at which deposits are received or checks paid or money 
lent. In the case of a foreign bank defined in Sec.  347.202 of this 
chapter, the term branch has the meaning given in Sec.  347.202 of this 
chapter.
    (d) The term State savings association has the same meaning as in 
section (3)(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 
1813(b)(3).


Sec.  326.2   Designation of security officer.

    Upon the issuance of Federal deposit insurance, the board of 
directors of each

[[Page 13843]]

institution shall designate a security officer who shall have the 
authority, subject to the approval of the board of directors, to 
develop, within a reasonable time, but no later than 180 days, and to 
administer a written security program for each banking office.


Sec.  326.3   Security program.

    (a) Contents of security program. The security program shall:
    (1) Establish procedures for opening and closing for business and 
for the safekeeping of all currency, negotiable securities, and similar 
valuables at all times;
    (2) Establish procedures that will assist in identifying persons 
committing crimes against the institution and that will preserve 
evidence that may aid in their identification and prosecution; such 
procedures may include, but are not limited to:
    (i) Retaining a record of any robbery, burglary, or larceny 
committed against the institution;
    (ii) Maintaining a camera that records activity in the banking 
office; and
    (iii) Using identification devices, such as prerecorded serial-
numbered bills, or chemical and electronic devices;
    (3) Provide for initial and periodic training of officers and 
employees in their responsibilities under the security program and in 
proper employee conduct during and after a robbery, burglar or larceny; 
and
    (4) Provide for selecting, testing, operating and maintaining 
appropriate security devices, as specified in paragraph (b) of this 
section.
    (b) Security devices. Each institution shall have, at a minimum, 
the following security devices:
    (1) A means of protecting cash or other liquid assets, such as a 
vault, safe, or other secure space;
    (2) A lighting system for illuminating, during the hours of 
darkness, the area around the vault, if the vault is visible from 
outside the banking office;
    (3) An alarm system or other appropriate device for promptly 
notifying the nearest responsible law enforcement officers of an 
attempted or perpetrated robbery or burglary;
    (4) Tamper-resistant locks on exterior doors and exterior windows 
that may be opened; and
    (5) Such other devices as the security officer determines to be 
appropriate, taking into consideration:
    (i) The incidence of crimes against financial institutions in the 
area;
    (ii) The amount of currency or other valuables exposed to robbery, 
burglary, and larceny;
    (iii) The distance of the banking office from the nearest 
responsible law enforcement officers;
    (iv) The cost of the security devices;
    (v) Other security measures in effect at the banking office; and
    (vi) The physical characteristics of the structure of the banking 
office and its surroundings.


Sec.  326.4  Reports.

    The security officer for each institution shall report at least 
annually to the institution's board of directors on the implementation, 
administration, and effectiveness of the security program.

PART 391--[REMOVED AND RESERVED]

0
3. Under the authority of 12 U.S.C. 1819(a) Tenth, part 391, consisting 
of subpart A, is removed and reserved.

    Dated at Washington, DC, on March 20, 2018.

    By order of the Board of Directors.

Federal Deposit Insurance Corporation.
Valerie J. Best,
Assistant Executive Secretary.
[FR Doc. 2018-06161 Filed 3-30-18; 8:45 am]
 BILLING CODE 6714-01-P