Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

Bank Secrecy Act (BSA)Federal Deposit Insurance Corporation (FDIC)
Federal Reserve Board (FRB)
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)Identity Theft

The OCC, FRB, FDIC, and OTS are issuing the attached final “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” The guidance was published in the Federal Register on March 29, 2005, and became effective upon publication.

The guidance interprets the Interagency Guidelines Establishing Information Security Standards (Security Guidelines)[1] and states that each financial institution should implement a response program to address unauthorized access to customer information maintained by the institution or its service providers. The guidance describes the components that a response program should contain including procedures to notify customers about incidents that involve unauthorized access to sensitive customer information.

The guidance provides that, “when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.” However, notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for a delay.

> Read entire regulation (log in required - registration is free)