Imágenes de páginas
PDF
EPUB

I. INTRODUCTION

The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 1831p-1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the GrammLeach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

A. Scope. The Guidelines apply to customer information maintained by or on behalf of entities over which OTS has authority. For purposes of this appendix, these entities are savings associations whose deposits are FDIC-insured and any subsidiaries of such savings associations, except brokers, dealers, persons providing insurance, investment companies, and investment advisers. This appendix refers to such entities as "you'.

B. Preservation of Existing Authority. Neither section 39 nor these Guidelines in any way limit OTS's authority to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. OTS may take action under section 39 and these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to OTS.

C. Definitions. 1. Except as modified in the Guidelines, or unless the context otherwise requires, the terms used in these Guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p-1).

2. For purposes of the Guidelines, the following definitions apply:

a. Customer means any of your customers as defined in § 573.3(h) of this chapter.

b. Customer information means any record containing nonpublic personal information, as defined in §573.3(n) of this chapter, about a customer, whether in paper, electronic, or other form, that you maintain or that is maintained on your behalf.

c. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.

d. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to you.

II. STANDARDS FOR SAFEGUARDING CUSTOMER

INFORMATION

A. Information Security Program. You shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to your size and com

plexity and the nature and scope of your activities. While all parts of your organization are not required to implement a uniform set of policies, all elements of your information security program must be coordinated.

B. Objectives. Your information security program shall be designed to:

1. Ensure the security and confidentiality of customer information;

2. Protect against any anticipated threats or hazards to the security or integrity of such information; and

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any

customer.

III. DEVELOPMENT AND IMPLEMENTATION OF INFORMATION SECURITY PROGRAM

A. Involve the Board of Directors. Your board of directors or an appropriate committee of the board shall:

1. Approve your written information security program; and

2. Oversee the development, implementation, and maintenance of your information security program, including assigning specific responsibility for its implementation and reviewing reports from management. B. Assess Risk. You shall:

1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.

2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.

3. Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. C. Manage and Control Risk. You shall:

1. Design your information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of your activities. You must consider whether the following security measures are appropriate for you and, if so, adopt those measures you conclude are appropriate:

a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent

means.

b. Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;

c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;

d. Procedures designed to ensure that customer information system modifications are consistent with your information security program;

e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;

f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;

g. Response programs that specify actions for you to take when you suspect or detect that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and

h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological fail

ures.

2. Train staff to implement your information security program.

3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by your risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

D. Oversee Service Provider Arrangements. You shall:

1. Exercise appropriate due diligence in selecting your service providers;

2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and

3. Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, you should review audits, summaries of test results, or other equivalent evaluations of your service providers.

E. Adjust the Program. You shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of your customer information, internal or external threats to information, and your own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.

F. Report to the Board. You shall report to your board or an appropriate committee of the board at least annually. This report should describe the overall status of the in

formation security program and your compliance with these Guidelines. The reports should discuss material matters related to your program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program.

G. Implement the Standards. 1. Effective date. You must implement an information security program pursuant to these Guidelines by July 1, 2001.

2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that you have entered into with a service provider to perform services for you or functions on your behalf satisfies the provisions of paragraph III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as you entered into the contract on or before March 5, 2001.

[66 FR 8640, Feb. 1, 2001]

[blocks in formation]
[blocks in formation]

(a) Act means the National Flood Insurance Act of 1968, as amended (42 U.S.C. 4001-4129).

(b) Savings association means, for purposes of this part, a savings association as that term is defined in 12 U.S.C. 1813(b)(1) and any subsidiaries or service corporations thereof.

(c) Building means a walled and roofed structure, other than a gas or liquid storage tank, that is principally above ground and affixed to a permanent site, and a walled and roofed structure while in the course of construction, alteration, or repair.

(d) Community means a State or a political subdivision of a State that has zoning and building code jurisdiction over a particular area having special flood hazards.

(e) Designated loan means a loan secured by a building or mobile home that is located or to be located in a special flood hazard area in which flood insurance is available under the Act.

(f) Director of FEMA means the Director of the Federal Emergency Management Agency.

(g) Mobile home means a structure, transportable in one or more sections, that is built on a permanent chassis and designed for use with or without a permanent foundation when attached to the required utilities. The term mobile home does not include a recreational vehicle. For purposes of this part, the term mobile home means a mobile home on a permanent foundation. The term mobile home includes a manufactured home as that term is used in the NFIP.

(h) NFIP means the National Flood Insurance Program authorized under the Act.

(i) Residential improved real estate means real estate upon which a home or other residential building is located or to be located.

(j) Servicer means the person responsible for:

(1) Receiving any scheduled, periodic payments from a borrower under the terms of a loan, including amounts for taxes, insurance premiums, and other charges with respect to the property securing the loan; and

(2) Making payments of principal and interest and any other payments from the amounts received from the borrower as may be required under the terms of the loan.

(k) Special flood hazard area means the land in the flood plain within a community having at least a one percent chance of flooding in any given year, as designated by the Director of FEMA.

(1) Table funding means a settlement at which a loan is funded by a contemporaneous advance of loan funds and an assignment of the loan to the person advancing the funds.

§ 572.3 Requirement to purchase flood insurance where available.

(a) In general. A savings association shall not make, increase, extend, or renew any designated loan unless the building or mobile home and any personal property securing the loan is covered by flood insurance for the term of the loan. The amount of insurance must be at least equal to the lesser of the outstanding principal balance of the designated loan or the maximum limit of coverage available for the particular type of property under the Act. Flood insurance coverage under the Act is limited to the overall value of the property securing the designated loan minus the value of the land on which the property is located.

(b) Table funded loans. A savings association that acquires a loan from a mortgage broker or other entity through table funding shall be considered to be making a loan for the purposes of this part.

§ 572.4 Exemptions.

The flood insurance requirement prescribed by §572.3 does not apply with respect to:

(a) Any State-owned property covered under a policy of self-insurance satisfactory to the Director of FEMA, who publishes and periodically revises the list of States falling within this exemption; or

(b) Property securing any loan with an original principal balance of $5,000 or less and a repayment term of one year or less.

§ 572.5 Escrow requirement.

If a savings association requires the escrow of taxes, insurance premiums, fees, or any other charges for a loan secured by residential improved real estate or a mobile home that is made, increased, extended, or renewed on or after October 1, 1996, the savings association shall also require the escrow of all premiums and fees for any flood insurance required under §572.3. The savings association, or a servicer acting on behalf of the savings association, shall deposit the flood insurance premiums on behalf of the borrower in an escrow account. This escrow account will be subject to escrow requirements adopted pursuant to section 10 of the Real Estate Settlement Procedures Act of 1974 (12 U.S.C. 2609) (RESPA), which generally limits the amount that may be maintained in escrow accounts for certain types of loans and requires escrow account statements for those accounts, only if the loan is otherwise subject to RESPA. Following receipt of a notice from the Director of FEMA or other provider of flood insurance that premiums are due, the savings association, or a servicer acting on behalf of the savings association, shall pay the amount owed to the insurance provider from the escrow account by the date when such premiums are due.

$572.6 Required use of standard flood hazard determination form.

(a) Use of form. A savings association shall use the standard flood hazard determination form developed by the Director of FEMA when determining whether the building or mobile home offered as collateral security for a loan is or will be located in a special flood hazard area in which flood insurance is available under the Act. The standard flood hazard determination form may be used in a printed, computerized, or

electronic manner. A savings association may obtain the standard flood hazard determination form from FEMA, P.O. Box 2012, Jessup, MD 20794– 2012.

(b) Retention of form. A savings association shall retain a copy of the completed standard flood hazard determination form, in either hard copy or electronic form, for the period of time the savings association owns the loan. [61 FR 45709, Aug. 29, 1996, as amended at 64 FR 69185, Dec. 10, 1999]

§ 572.7 Forced placement of flood in

surance.

If a savings association, or a servicer acting on behalf of the savings association, determines at any time during the term of a designated loan that the building or mobile home and any personal property securing the designated loan is not covered by flood insurance or is covered by flood insurance in an amount less than the amount required under §572.3, then the savings association or its servicer shall notify the borrower that the borrower should obtain flood insurance, at the borrower's expense, in an amount at least equal to the amount required under §572.3, for the remaining term of the loan. If the borrower fails to obtain flood insurance within 45 days after notification, then the savings association or its servicer shall purchase insurance on the borrower's behalf. The savings association or its servicer may charge the borrower for the cost of premiums and fees incurred in purchasing the insurance.

§ 572.8 Determination fees.

(a) General. Notwithstanding any Federal or State law other than the Flood Disaster Protection Act of 1973, as amended (42 U.S.C. 4001-4129), any savings association, or a servicer acting on behalf of the savings association, may charge a reasonable fee for determining whether the building or mobile home securing the loan is located or will be located in a special flood hazard area. A determination fee may also include, but is not limited to, a fee for life-of-loan monitoring.

(b) Borrower fee. The determination fee authorized by paragraph (a) of this section may be charged to the borrower if the determination:

(1) Is made in connection with a making, increasing, extending, or renewing of the loan that is initiated by the borrower;

(2) Reflects the Director of FEMA's revision or updating of floodplain areas or flood-risk zones;

(3) Reflects the Director of FEMA's publication of a notice or compendium that:

(i) Affects the area in which the building or mobile home securing the loan is located; or

(ii) By determination of the Director of FEMA, may reasonably require a determination whether the building or mobile home securing the loan is located in a special flood hazard area; or

(4) Results in the purchase of flood insurance coverage by the lender or its servicer on behalf of the borrower under § 572.7.

(c) Purchaser or transferee fee. The determination fee authorized by paragraph (a) of this section may be charged to the purchaser or transferee of a loan in the case of the sale or transfer of the loan.

§ 572.9 Notice of special flood hazards and availability of Federal disaster relief assistance.

(a) Notice requirement. When a savings association makes, increases, extends, or renews a loan secured by a building or a mobile home located or to be located in a special flood hazard area, the savings association shall mail or deliver a written notice to the borrower and to the servicer in all cases whether or not flood insurance is available under the Act for the collateral securing the loan.

(b) Contents of notice. The written notice must include the following information:

(1) A warning, in a form approved by the Director of FEMA, that the building or the mobile home is or will be located in a special flood hazard area;

(2) A description of the flood insurance purchase requirements set forth in section 102(b) of the Flood Disaster Protection Act of 1973, as amended (42 U.S.C. 4012a(b));

(3) A statement, where applicable, that flood insurance coverage is available under the NFIP and may also be available from private insurers; and

(4) A statement whether Federal disaster relief assistance may be available in the event of damage to the building or mobile home caused by flooding in a Federally-declared disaster.

(c) Timing of notice. The savings association shall provide the notice required by paragraph (a) of this section to the borrower within a reasonable time before the completion of the transaction, and to the servicer as promptly as practicable after the savings association provides notice to the borrower and in any event no later than the savings association provides other similar notices to the servicer concerning hazard insurance and taxes. Notice to the servicer may be made electronically or may take the form of a copy of the notice to the borrower.

(d) Record of receipt. The savings association shall retain a record of the receipt of the notices by the borrower and the servicer for the period of time the savings association owns the loan.

(e) Alternate method of notice. Instead of providing the notice to the borrower required by paragraph (a) of this section, a savings association may obtain satisfactory written assurance from a seller or lessor that, within a reasonable time before the completion of the sale or lease transaction, the seller or lessor has provided such notice to the purchaser or lessee. The savings association shall retain a record of the written assurance from the seller or lessor for the period of time the savings association owns the loan.

(f) Use of prescribed form of notice. A savings association will be considered to be in compliance with the requirement for notice to the borrower of this section by providing written notice to the borrower containing the language presented in appendix A to this part within a reasonable time before the completion of the transaction. The notice presented in appendix A to this part satisfies the borrower notice requirements of the Act.

§ 572.10 Notice of servicer's identity.

(a) Notice requirement. When a savings association makes, increases, extends, renews, sells, or transfers a loan secured by a building or mobile home located or to be located in a special flood hazard area, the savings association

« AnteriorContinuar »