Final Reg - Records Disposal

Uh Oh - somebody just opened another door here. Do ya'll feel the draft?

I do believe that the final Disposal Rules are consistant with GLB Safeguarding Rules (which are more comprehensive and strict than FTC rules). I think as long as you can show your due diligence efforts on GLBA with regards to vendors and your own institution practices, you'll be safe in complying with the FTC guidelines.

I am feeling the draft!!

I was hoping the disposal rules under GLB would be sufficient here as well. Has anyone heard anything along these lines? We already have this huge risk assessment document (which addresses customer information all the way to the point of shredding documents), I hate to think that this will no longer be sufficient either! Assuming that compliance under the safeguarding of customer information provisions of the GLB Act are sufficient and already being complied with, why would those idiots in Congress have felt the need to address this area again in another Act?

I know that was a rhetorical question, and pardon my language, but, this Act just has me so frustrated.

what is the amount of time required to maintain credit applications "on file" to be in compliance with ftc before records can be disposed of-it used to be 25 months. Is this still a requirement and has the time changed?

any help out there to let me know when I can dispose of credit applications and still be in compliance... or direct me to a website that can give me the parameters?

Peridot,
I just reviewed our GLB confidentiality agreement with our vendors and I do not believe it meets the §216 requirements. The biggest issue is due to the fact that we defined customer information to mean information used for personal, family and household purposes. Section 216 takes this a bit further and includes individual information used for business purposes. Therfore, I am making changes to my confidentilaity agreement, which means a contract change to all the vendors we have confidentiality agreements with! Some of these vendor contracts may come up for renewal before July 2006, but for those that do not, we are going to have to send some kind of modification. Oh joy! I'm glad I have 19 months to get this done!
BC

Anoan,
I do not believe that the FCRA or the FACT Act changed the Reg B retention requirements. But, keep in mind that this section of the FACT Act applies to more than just your applications and AANs - it applies to any information derived from a credit report. Therefore, if it is your policy to retain the app and the AAN and purge the file of all extraneous notes and calculations regarding the loan, that documentation would be subject to the disposal requirements of FACTA. Also, any e-mail communications regarding the loan would be subject to the FACTA requirements.
BC

What type of e mails? this is the first I have heard of this.

Information security applies to more than just your paper files - it applies to any information shared in any medium. E-mails containg confidential custpmer information should be encrypted if sent outside the bank. This isn't new with FACTA - this has been around since GLB. My concern is that our underwriting is centralized, so if the underwriter has questions or wants to communicate something about the loan application to the front-line person, the underwriter sends an email. the Email might say something like "Customers score is 540 so we can't make the loan." "Or please contact customer regaring derogatory from XYZ>". What worries me is what the front line person does with that email - do they store it on the computer (and how safe is it?) or print it out? If they print it, how do they dispose of it?
BC

After reading the final rule of Section 216 (disposal of information), I believe the section of our information security program dealing of information disposal should be revised from "customer information" to "consumer information"?