Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice - OCC

GuidanceFederal Deposit Insurance Corporation (FDIC)
Federal Reserve Board (FRB)
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)Identity Theft
Risk Management

The Agencies are jointly issuing final Guidance that interprets the requirements of section 501(b) of the GLBA, 15 U.S.C. 6801, and the Security Guidelines2 to include the development and implementation of a response program to address unauthorized access to, or use of customer information that could result in substantial harm or inconvenience to a customer. The Guidance describes the appropriate elements of a financial institution’s response program, including customer notification procedures.

Section 501(b) required the Agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards to: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

On February 1, 2001, the Agencies issued the Security Guidelines as required by section 501(b) (66 FR 8616). Among other things, the Security Guidelines direct financial institutions to: (1) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

> Read entire regulation (log in required - registration is free)