The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly approved and issued the attached guidelines establishing standards for safeguarding customer information as required by the Gramm-Leach-Bliley Act (GLBA). GLBA requires the banking agencies to establish appropriate standards for financial institutions relating to the administrative, technical and physical safeguards of customer records and information. The standards' objectives are to:
Information Security Program The guidelines describe the agencies' expectations for creating, implementing and maintaining an information security program. This program must include administrative, technical and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. The guidelines also describe the oversight role of the institution's board of directors in this process and its continuing duty to evaluate and oversee the program's overall status. Institutions are required to:
Risk Assessment The guidelines describe the elements of a comprehensive risk-management plan designed to control identified risks and achieve the overall objective of ensuring the security and confidentiality of customer information. They identify the factors an institution should consider in evaluating the adequacy of its policies and procedures to effectively manage these risks commensurate with the sensitivity of the information, as well as the complexity and scope of the institution and its activities. The agencies intend that these elements will provide general parameters for institutions of varying sizes, scopes of operation and risk-management structures. Involvement of the Board of Directors The guidelines describe the responsibilities of the board of directors and management in developing and implementing an information security program. The board, or an appropriate board committee, is expected to:
Outsourcing Arrangements To confirm that its service providers have implemented an effective information security program to protect customer information and customer information systems consistent with these guidelines, an institution should exercise appropriate due diligence in managing and monitoring its outsourcing arrangements. For more information, please contact Jeffrey M. Kopchik (202-898-3872) or Thomas J. Tuzinski (202-898-6748) in the FDIC's Division of Supervision, or Robert A. Patrick (202-898-3757) in the FDIC's Legal Division.
Attachment: Feb. 1, 2001,
Federal Register
, pages 8616-8641
Distribution: FDIC-Supervised Banks (Commercial and Savings) NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (800-276-6003 or (703) 562-2200). |