Tell us
what you think
Our Sponsors
 |
Our Sponsors
|
Standards Proposed By Agencies
Protecting Customer Information in a Compliance Program
by John J. Byrne, Esq., Senior Federal Legislative Counsel, ABA
On June 21, 2000, the federal banking agencies issued a joint notice of rulemaking on proposed guidelines for establishing standards for safeguarding customer information under §501 (b) of Gramm-Leach-Bliley.
You may recall that §501 of GLB required the agencies to establish appropriate standards relating to administrative, technical, and physical safeguards for customer records and information.
In the same section of the financial modernization law that covered privacy, the statute directed that these safeguards are intended to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.
Guideline or Regulation?
It is important to note that the agencies are proposing this rule as a "guideline" instead of a regulation but are seeking comments on whether a regulation is preferable.
The proposals are "substantively identical" and key aspects of the guidelines were derived from the security-related supervisory guidance issued by the agencies and the Federal Financial Institutions Examination Council (FFIEC) in 1998.
Excessive Burdens?
The agencies have also specifically asked commenters to identify which parts of the guidelines impose excessive burdens and to describe the burdens.
Other issues that should be addressed include (1) alternative methods that would accomplish the same purpose; or (2) why the intended purpose is unnecessary or should be modified.
Community Banks Important!
If there is enough interest, the agencies may create a compliance guide for community banks. This will certainly occur if the affected institutions can successfully argue that the guidelines are either not reasonable and realistic for smaller institutions or that the goals of this proposal can be achieved through an alternative approach.
Therefore, community banks should review the proposal and comment on whether the institutions have the "available personnel with the requisite expertise" to comply with the guidelines.
Key Elements of the Proposal
The proposed guidelines outline the steps of putting in place an information security program.
An institution must have board of director oversight to: (1) approve the institution's written information security policy and program; and (2) oversee efforts to develop, implement, and maintain an effective information security program, including regular review of management reports.
The proposal seeks comment on how often there should be reports to the board - monthly, quarterly, or annually? It is also appropriate to suggest that no specific time for reporting be placed in the guidelines.
In creating the program, the guidelines contemplate that the institution (1) identify and assess the risks that may threaten customer information; (2) develop a written plan; (3) implement and test the plan; and (4) adjust the plan on a continuing basis to account for changes in, among other things, technology.
The guidelines also cover how an institution should assess risk, manage and control risk and oversee outsourcing arrangements.
Copyright © 2000 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 10, No. 7, 7/00
Rate This Article
Current Rating For the Feature:
| Standards Proposed By Agencies |
| Total Ratings for this Feature: 0 |
|