83 FR 13839 - Removal of Transferred OTS Regulations Regarding Minimum Security Procedures Amendments to FDIC Regulations
FEDERAL DEPOSIT INSURANCE CORPORATION Federal Register Volume 83, Issue 63 (April 2, 2018)
Federal Register Volume 83, Issue 63 (April 2, 2018)
| Page Range | 13839-13843 | |
| FR Document | 2018-06161 |
[Federal Register Volume 83, Number 63 (Monday, April 2, 2018)] [Rules and Regulations] [Pages 13839-13843] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-06161] ======================================================================= ----------------------------------------------------------------------- FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Parts 326 and 391 RIN 3064-AE47 Removal of Transferred OTS Regulations Regarding Minimum Security Procedures Amendments to FDIC Regulations AGENCY: Federal Deposit Insurance Corporation. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Deposit Insurance Corporation (``FDIC'') is adopting a final rule to rescind and remove a part from the Code of Federal Regulations entitled ``Security Procedures'' and to amend FDIC regulations to make the removed Office of Thrift Supervision (``OTS'') regulations applicable to State savings associations. DATES: The final rule is effective on May 2, 2018. FOR FURTHER INFORMATION CONTACT: Lauren Whitaker, Senior Attorney, Consumer Compliance Section, Legal Division (202) 898-3872; Karen Jones Currie, Senior Examination Specialist, Division of Risk Management and Supervision (202) 898-3981. SUPPLEMENTARY INFORMATION: Part 391, subpart A, was included in the regulations that were transferred to the FDIC from the Office of Thrift Supervision (``OTS'') on July 21, 2011, in connection with the implementation of applicable provisions of title III of the Dodd-Frank Wall Street Reform and Consumer Protection Act (``Dodd-Frank Act'').\1\ With the exception of one provision (Sec. 391.5) the requirements for State savings associations in part 391, subpart A, are substantively identical to the requirements in the FDIC's 12 CFR part 326 (``part 326''), which is entitled ``Minimum Security Procedures.'' The one exception directs savings associations to comply with appendix B to subpart B of Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) contained in FDIC rules at part 364, appendix B. The FDIC previously revised part 364 to make the Interagency Guidelines applicable to both State nonmember banks and State savings associations.\2\ --------------------------------------------------------------------------- \1\ Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 111-203, 124 Stat. 1376 (2010) (codified at 12 U.S.C. 5301 et seq.). \2\ 80 FR 65907 (Oct. 28, 2015). --------------------------------------------------------------------------- The FDIC is adopting a final rule (``Final Rule'') to rescind in its entirety part 391, subpart A and to modify the scope of part 326 to include State savings associations to conform to and reflect the scope of the FDIC's current supervisory responsibilities as the appropriate Federal banking agency. The FDIC is also adding definitions of ``FDIC- supervised insured depository institution or institution'' and ``State savings association.'' Upon removal of part 391, subpart A, the Security Procedures, regulations applicable for all insured depository institutions for which the FDIC has been designated the appropriate Federal banking agency will be found at 12 CFR part 326. I. Background The Dodd-Frank Act The Dodd-Frank Act provided for a substantial reorganization of the regulation of State and Federal savings associations and their holding companies. Beginning July 21, 2011, the transfer date established by section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the powers, duties, and functions formerly performed by the OTS were divided among the FDIC, as to State savings associations, the Office of the Comptroller of the Currency (``OCC''), as to Federal savings associations, and the Board of Governors of the Federal Reserve System (``FRB''), as to savings and loan holding companies. Section 316(b) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provides the manner of treatment for all orders, resolutions, determinations, regulations, and advisory materials that had been issued, made, prescribed, or allowed to become effective by the OTS. This section provides that if such materials were in effect on the day before the transfer date, they continue to be in effect and are enforceable by or against the appropriate successor agency until they are modified, terminated, set aside, or superseded in accordance with applicable law by such successor agency, by any court of competent jurisdiction, or by operation of law. Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(c), further directed the FDIC and the OCC to consult with one another and to publish a list of the continued OTS regulations that would be enforced by the FDIC and [[Page 13840]] the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors approved a ``List of OTS Regulations to be Enforced by the OCC and the FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act.'' This list was published by the FDIC and the OCC as a Joint Notice in the Federal Register on July 6, 2011.\3\ --------------------------------------------------------------------------- \3\ 76 FR 39247 (July 6, 2011). --------------------------------------------------------------------------- Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking authority relating to both State and Federal savings associations, nothing in the Dodd-Frank Act affected the FDIC's existing authority to issue regulations under the FDI Act and other laws as the ``appropriate Federal banking agency'' or under similar statutory terminology. Section 312(c) of the Dodd-Frank Act amended the definition of ``appropriate Federal banking agency'' contained in section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State savings associations to the list of entities for which the FDIC is designated as the ``appropriate Federal banking agency.'' As a result, when the FDIC acts as the designated ``appropriate Federal banking agency'' (or under similar terminology) for State savings associations, as it does here, the FDIC is authorized to issue, modify, and rescind regulations involving such associations, as well as for State nonmember banks and insured branches of foreign banks. As noted, on June 14, 2011, pursuant to this authority, the FDIC's Board of Directors reissued and redesignated certain transferring regulations of the former OTS. These transferred OTS regulations were published as new FDIC regulations in the Federal Register on August 5, 2011.\4\ When it republished the transferred OTS regulations as new FDIC regulations, the FDIC specifically noted that its staff would evaluate the transferred OTS rules, and might later recommend incorporating the transferred OTS regulations into other FDIC rules, amending them, or rescinding them as appropriate. --------------------------------------------------------------------------- \4\ 76 FR 47652 (Aug. 5, 2011). --------------------------------------------------------------------------- One of the OTS rules transferred to the FDIC governed OTS oversight of minimum security devices and procedures for State savings associations. The OTS rule, formerly found at 12 CFR part 568, was transferred to the FDIC with only nominal changes, and is now found in the FDIC's rules at part 391, subpart A, entitled ``Security Procedures.'' Before the transfer of the OTS rules and continuing today, the FDIC's rules contained part 326, subpart A, entitled ``Minimum Security Procedures,'' a rule governing FDIC oversight of security devices and procedures to discourage burglaries, robberies, and larcenies, and assist law enforcement in the identification and apprehension of those who commit such crimes with respect to insured depository institutions for which the FDIC has been designated the appropriate Federal banking agency. One provision in part 391, subpart A, namely Sec. 391.5, is not contained in part 326, subpart A. It directs savings associations and certain subsidiaries to comply with the Interagency Guidelines Establishing Information Security Standards, which were adopted jointly by the OTS and the FDIC and other banking agencies, and are contained in appendix B to part 364 in FDIC regulations. After careful review and comparison of part 391, subpart A, and part 326, the FDIC is adopting a Final Rule to rescind part 391, subpart A, because, as discussed below, it is substantively redundant to existing part 326, and simultaneously finalizes the technical conforming edits to the FDIC's existing rule. FDIC's Existing 12 CFR Part 326 and Former OTS's Part 568 (Transferred to FDIC's Part 391, Subpart A) Section 3 of the Bank Protection Act of 1968 directed the appropriate Federal banking agencies and the OTS' predecessor, the Federal Home Loan Bank Board (``FHLBB''), to establish minimum security standards for banks and savings associations, at reasonable cost, to serve as a deterrent to robberies, burglaries, and larcenies, and to assist law enforcement in identifying and prosecuting persons who commit such acts.\5\ In the initial rulemakings, the agencies consulted and cooperated with each other to promote a goal of uniformity where practicable. The initial minimum security rules were simultaneously issued in January 1969 and were substantively the same.\6\ --------------------------------------------------------------------------- \5\ 12 U.S.C. 1882. \6\ 34 FR 618 (January 16, 1969); 34 FR 621 (January 16, 1969). --------------------------------------------------------------------------- In 1991, the minimum security rules were substantially revised to reduce unnecessary specificity, remove obsolete requirements, and place greater responsibility on the boards of directors of insured financial institutions for establishing and ensuring the implementation and maintenance of security programs and procedures. The former FHLBB rules at 12 CFR part 563a were redesignated as 12 CFR part 568 by the OTS. The OTS rules remained substantively the same as the FDIC's rules in part 326, subpart A.\7\ --------------------------------------------------------------------------- \7\ 56 FR 29565 (June 28, 1991); 56 FR 13579 (April 3, 1991). --------------------------------------------------------------------------- In 2001, the FDIC, other Federal banking agencies, and the OTS issued Interagency Guidelines for Safeguarding Customer Information pursuant to section 501 of the Gramm Leach Bliley Act (``Protection of Nonpublic Personal Information'').\8\ At the same time, the OTS added a provision at the end of its security procedures rules at section 568.5 directing saving associations and certain subsidiaries to comply with appendix B to the Interagency Guidelines. In a preamble footnote, the OTS indicated that the reason for the additional provision to its minimum security rules was ``[b]ecause information security guidelines are similar to physical security procedures.'' \9\ In 2004, following enactment of the Fair and Accurate Credit Transactions Act (FACT Act), the OTS, FDIC, and other banking agencies revised the Interagency Guidelines for Safeguarding Customer Information and renamed them the Interagency Guidelines for Establishing Information Security Standards. The Interagency Guidelines were located in the FDIC rules at part 364. In 2015, the FDIC amended part 364 to, among other reasons, make it applicable to State savings associations.\10\ After careful comparison of the FDIC's part 326, subpart A, with the transferred OTS rule in part 391, subpart A, the FDIC has concluded that the transferred OTS rules governing minimum security procedures are substantively redundant. Based on the foregoing, the FDIC is adopting a Final Rule to rescind and remove from the Code of Federal Regulations the transferred OTS rules located at part 391, subpart A, and to make technical amendments to part 326, subpart A, to incorporate State savings associations. --------------------------------------------------------------------------- \8\ 66 FR 8616 (Feb. 1, 2001). \9\ Id. at footnote 2. \10\ 80 FR 65903 (Oct. 28, 2015). --------------------------------------------------------------------------- II. The Proposed Rule Regarding the functions of the former OTS that were transferred to the FDIC, section 316(b)(3) of the Dodd-Frank Act, 12 U.S.C. 5414(b)(3), in pertinent part, provides that the former OTS's regulations will be enforceable by the FDIC until they are modified, terminated, set aside, or superseded in accordance with applicable law. After reviewing the rules currently found in part 391, subpart A, the FDIC issued a Notice of Proposed Rulemaking (``NPR'' or ``Proposed Rule''), which proposed to [[Page 13841]] (1) rescind part 391, subpart A, in its entirety; (2) modify the scope of part 326, subpart A, to include State savings associations and their subsidiaries to conform to and reflect the scope of FDIC's current supervisory responsibilities as the appropriate Federal banking agency for State savings associations; (3) delete the definition of ``insured nonmember bank'' and replace it with a definition of ``FDIC-supervised insured depository institution or institution,'' which means ``any State nonmember insured bank or State savings association for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q))''; (4) add a new subsection (i), which would define ``State savings association'' as having ``the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act (12 U.S.C. 1813(b)(3))''; and (5) make conforming technical edits throughout, including replacing the term ``bank'' with ``FDIC- supervised insured depository institution'' or ``institution''. Under the Proposed Rule, oversight of minimum security procedures in part 326, subpart A, would apply to all FDIC-supervised institutions, including State savings associations, and part 391, subpart A, would be removed because it is largely redundant of the rules found in part 326. Rescinding part 391, subpart A, will serve to streamline the FDIC's rules and eliminate unnecessary regulations. III. Comments The FDIC issued the NPR with a 60-day comment period, which closed on January 3, 2017. The FDIC received no comments on its Proposed Rule, and consequently the Final Rule is adopted as proposed without any changes. IV. Explanation of the Final Rule As discussed in the NPR, with the exception of one provision (Sec. 391.5), the requirements for State savings associations in part 391, subpart A, are substantively identical to the requirements in the FDIC's 12 CFR part 326 (``part 326''). The one exception directs savings associations to comply with appendix B to subpart B of Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) contained in FDIC rules at part 364, appendix B. The FDIC previously revised part 364 to make the Interagency Guidelines applicable to both State nonmember banks and State savings associations. The designation of part 326 as a single authority regarding security standards and procedures will serve to streamline the FDIC's rules and eliminate unnecessary regulations. To that effect, the Final Rule removes and rescinds 12 CFR part 391, subpart A, in its entirety. Consistent with the Proposed Rule, the Final Rule modifies the scope of part 326, subpart A, to include State savings associations and their subsidiaries to conform to and reflect the scope of FDIC's current supervisory responsibilities as the appropriate Federal banking agency for State savings associations. The Final Rule also deletes the definition of ``insured nonmember bank'' and replaces it with a definition of ``FDIC-supervised insured depository institution or institution,'' which means ``any State nonmember insured bank or State savings association for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q)).'' Additionally, the Final Rule adds a new subsection (i), which would define ``State savings association'' as having ``the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act (12 U.S.C. 1813(b)(3)) and makes conforming technical edits throughout, including replacing the term ``bank'' with ``FDIC-supervised insured depository institution'' or ``institution''. V. Regulatory Analysis and Procedure A. The Paperwork Reduction Act In accordance with the requirements of the Paperwork Reduction Act (``PRA'') of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (``OMB'') control number. The Final Rule would rescind and remove part 391, subpart A, from the FDIC regulations. This rule was transferred with only nominal changes to the FDIC from the OTS when the OTS was abolished by title III of the Dodd-Frank Act. Part 391, subpart A, is substantively similar to the FDIC's existing part 326, subpart A, regarding oversight of minimum security procedures for depository institutions with the exception of one provision at the end of part 391, subpart A, which directs savings associations to comply with Interagency Guidelines, which are located in Appendix B to part 364. In 2015, the FDIC proposed and finalized revisions to part 364 that made part 364, including the Interagency Guidelines in Appendix B, applicable to State savings associations as well as State nonmember banks. The Final Rule also (1) amends part 326, subpart A to include State savings associations and their subsidiaries within its scope; (2) defines ``FDIC-supervised insured depository institution or institution'' and ``State savings association''; and (3) makes conforming technical edits throughout. These measures clarify that State savings associations, as well as State nonmember banks, are subject to part 326, subpart A. With respect to part 326, subpart A, the Final Rule does not revise any existing, or create any new information collection pursuant to the PRA. Consequently, no submission has been made to the Office of Management and Budget for review. B. The Regulatory Flexibility Act The Regulatory Flexibility Act requires an agency to consider the impact that a final rule will have on small entities (defined in regulations promulgated by the Small Business Administration to include banking organizations with total assets of less than or equal to $550 million).\11\ However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities, and publishes its certification and a short explanatory Statement in the Federal Register together with the rule. For the reasons provided below, the FDIC certifies that the Final Rule would not have a significant economic impact on a substantial number of small entities. --------------------------------------------------------------------------- \11\ 5 U.S.C. 601 et seq. --------------------------------------------------------------------------- As discussed in the NPR, part 391, subpart A, was transferred from OTS part 568, which governed minimum security procedures for depository institutions. The initial minimum security rules, though issued separately by the agencies, were all published in January 1969. The OTS rule, part 568, had been in effect since 1991 and all State savings associations were required to comply with it. Because it is substantially the same as existing part 326, subpart A of the FDIC's rules and therefore redundant, the FDIC is adopting a final rule to rescind and remove the transferred regulation now located in part 391, subpart A. As a result, all FDIC-supervised institutions--including State savings associations and their subsidiaries--would be required to comply with the minimum security procedures in part 326, subpart A. Because all State savings associations and their subsidiaries have [[Page 13842]] been required to comply with nearly identical security procedures rules since 1969, the Final Rule would not place additional requirements or burdens on any State savings association irrespective of its size. Therefore, the Final Rule would not have a significant impact on a substantial number of small entities. C. Small Business Regulatory Enforcement Fairness Act The Office of Management and Budget has determined that the Final Rule is not a ``major rule'' within the meaning of the Small Business Regulatory Enforcement Fairness Act of 1996 (``SBREFA''), 5 U.S.C. 801 et seq. As required by SBREFA, the FDIC will submit the Final Rule and other appropriate reports to Congress and the Government Accountability Office for review. D. Plain Language Section 722 of the Gramm-Leach- Bliley Act, codified at 12 U.S.C. 4809, requires each Federal banking agency to use plain language in all of its proposed and final rules published after January 1, 2000. In the NPR, the FDIC invited comments on whether the Proposed Rule was clearly stated and effectively organized, and how the FDIC might make it easier to understand. Although the FDIC did not receive any comments, the FDIC sought to present the Final Rule in a simple and straightforward manner. D. The Economic Growth and Regulatory Paperwork Reduction Act Under section 2222 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (``EGRPRA''), the FDIC is required to review all of its regulations, at least once every 10 years, in order to identify any outdated or otherwise unnecessary regulations imposed on insured institutions.\12\ The FDIC, along with the other Federal banking agencies, submitted a Joint Report to Congress on March 21, 2017 (``EGRPRA Report'') discussing how the review was conducted, what has been done to date to address regulatory burden, and further measures we will take to address issues that were identified.\13\ As noted in the EGRPRA Report, the FDIC is continuing to streamline and clarify its regulations through the OTS rule integration process. By removing outdated or unnecessary regulations, such as part 391, subpart A, and modifying the Minimum Security Procedures, this rule complements other actions the FDIC has taken, separately and with the other Federal banking agencies, to further the EGRPRA mandate. --------------------------------------------------------------------------- \12\ Public Law 104-208, 110 Stat. 3009 (1996). \13\ 82 FR 15900 (March 31, 2017). --------------------------------------------------------------------------- E. Riegle Community Development and Regulatory Improvement Act of 1994 The Riegle Community Development and Regulatory Improvement Act of 1994 (RCDRIA) requires the FDIC, in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on insured depository institutions, consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that such regulations would place on depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of such regulations. In addition, new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on insured depository institutions generally must take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form.\14\ The final rule includes no new reporting, disclosure, or other new requirements on insured depository institutions. Therefore, the final rule is not subject to the requirements of the statute. --------------------------------------------------------------------------- \14\ 12 U.S.C. 4802. --------------------------------------------------------------------------- List of Subjects 12 CFR Part 326 Banks, Banking, Minimum security procedures, Savings associations. 12 CFR Part 391 Security procedures. Authority and Issuance For the reasons stated in the preamble, the Board of Directors of the Federal Deposit Insurance Corporation amends 12 CFR parts 326 and 391 as follows: PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY ACT 1 COMPLIANCE --------------------------------------------------------------------------- \1\ In its original form, subchapter II of chapter 53 of title 31, U.S.C. was part of Public Law 91-508 which requires recordkeeping for and reporting of currency transactions by banks and others and is commonly known as the Bank Secrecy Act. 0 1. The authority citation for part 326 continues to read as follows: Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1881-1883; 31 U.S.C. 5311-5314 and 5316-5332.2. 0 2. Revise subpart A to read as follows: Subpart A--Minimum Security Procedures Sec. 326.0 Authority, purpose, and scope. 326.1 Definitions. 326.2 Designation of security officer. 326.3 Security program. 326.4 Reports. Sec. 326.0 Authority, purpose, and scope. (a) This part is issued by the Federal Deposit Insurance Corporation (``FDIC'') pursuant to section 3 of the Bank Protection Act of 1968 (12 U.S.C. 1882). It applies to FDIC-supervised insured depository institutions. It requires each institution to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies and to assist in identifying and apprehending persons who commit such acts. (b) It is the responsibility of the institution's board of directors to comply with this part and ensure that a written security program for the institution's main office and branches is developed and implemented. Sec. 326.1 Definitions. For the purposes of this part-- (a) The term FDIC-supervised insured depository institution or institution means any insured depository institution for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q)(2) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(q)(2). (b) The term banking office includes any branch of an institution and, in the case of an FDIC-supervised insured depository institution; it includes the main office of that institution. (c) The term branch for an institution chartered under the laws of any state of the United States includes any branch institution, branch office, branch agency, additional office, or any branch place of business located in any state or territory of the United States, District of Columbia, Puerto Rico, Guam, American Samoa, the Trust Territory of the Pacific Islands, the Northern Mariana Islands or the Virgin Islands at which deposits are received or checks paid or money lent. In the case of a foreign bank defined in Sec. 347.202 of this chapter, the term branch has the meaning given in Sec. 347.202 of this chapter. (d) The term State savings association has the same meaning as in section (3)(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3). Sec. 326.2 Designation of security officer. Upon the issuance of Federal deposit insurance, the board of directors of each [[Page 13843]] institution shall designate a security officer who shall have the authority, subject to the approval of the board of directors, to develop, within a reasonable time, but no later than 180 days, and to administer a written security program for each banking office. Sec. 326.3 Security program. (a) Contents of security program. The security program shall: (1) Establish procedures for opening and closing for business and for the safekeeping of all currency, negotiable securities, and similar valuables at all times; (2) Establish procedures that will assist in identifying persons committing crimes against the institution and that will preserve evidence that may aid in their identification and prosecution; such procedures may include, but are not limited to: (i) Retaining a record of any robbery, burglary, or larceny committed against the institution; (ii) Maintaining a camera that records activity in the banking office; and (iii) Using identification devices, such as prerecorded serial- numbered bills, or chemical and electronic devices; (3) Provide for initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a robbery, burglar or larceny; and (4) Provide for selecting, testing, operating and maintaining appropriate security devices, as specified in paragraph (b) of this section. (b) Security devices. Each institution shall have, at a minimum, the following security devices: (1) A means of protecting cash or other liquid assets, such as a vault, safe, or other secure space; (2) A lighting system for illuminating, during the hours of darkness, the area around the vault, if the vault is visible from outside the banking office; (3) An alarm system or other appropriate device for promptly notifying the nearest responsible law enforcement officers of an attempted or perpetrated robbery or burglary; (4) Tamper-resistant locks on exterior doors and exterior windows that may be opened; and (5) Such other devices as the security officer determines to be appropriate, taking into consideration: (i) The incidence of crimes against financial institutions in the area; (ii) The amount of currency or other valuables exposed to robbery, burglary, and larceny; (iii) The distance of the banking office from the nearest responsible law enforcement officers; (iv) The cost of the security devices; (v) Other security measures in effect at the banking office; and (vi) The physical characteristics of the structure of the banking office and its surroundings. Sec. 326.4 Reports. The security officer for each institution shall report at least annually to the institution's board of directors on the implementation, administration, and effectiveness of the security program. PART 391--[REMOVED AND RESERVED] 0 3. Under the authority of 12 U.S.C. 1819(a) Tenth, part 391, consisting of subpart A, is removed and reserved. Dated at Washington, DC, on March 20, 2018. By order of the Board of Directors. Federal Deposit Insurance Corporation. Valerie J. Best, Assistant Executive Secretary. [FR Doc. 2018-06161 Filed 3-30-18; 8:45 am] BILLING CODE 6714-01-P
![Federal Register / Vol. 83, No. 63 / Monday, April 2, 2018 / Rules and Regulations 13839
(b) * * * Dated: March 26, 2018. appendix B. The FDIC previously
(1) For violations that occurred on or Kirstjen M. Nielsen, revised part 364 to make the Interagency
before November 2, 2015, $10,000 per Secretary. Guidelines applicable to both State
violation, up to a total of $50,000 per [FR Doc. 2018–06486 Filed 3–30–18; 8:45 am] nonmember banks and State savings
civil penalty action, in the case of an BILLING CODE 9110–9P–P, 9111–14–P; 9111–28–P,
associations.2
individual or small business concern, as 9110–04–P, 9110–05–P The FDIC is adopting a final rule
defined in section 3 of the Small (‘‘Final Rule’’) to rescind in its entirety
Business Act (15 U.S.C. 632). For part 391, subpart A and to modify the
violations that occurred after November FEDERAL DEPOSIT INSURANCE scope of part 326 to include State
2, 2015 $11,410 per violation, up to a CORPORATION savings associations to conform to and
total of $57,051 per civil penalty action, reflect the scope of the FDIC’s current
in the case of an individual or small 12 CFR Parts 326 and 391 supervisory responsibilities as the
business concern; and appropriate Federal banking agency.
RIN 3064–AE47
(2) For violations that occurred on or The FDIC is also adding definitions of
before November 2, 2015, $10,000 per Removal of Transferred OTS ‘‘FDIC-supervised insured depository
violation, up to a total of $400,000 per Regulations Regarding Minimum institution or institution’’ and ‘‘State
civil penalty action, in the case of any Security Procedures Amendments to savings association.’’ Upon removal of
other person. For violations that FDIC Regulations part 391, subpart A, the Security
occurred after November 2, 2015, Procedures, regulations applicable for
$11,410 per violation, up to a total of AGENCY: Federal Deposit Insurance all insured depository institutions for
$456,409 per civil penalty action, in the Corporation. which the FDIC has been designated the
case of any other person. ACTION: Final rule. appropriate Federal banking agency will
(c) * * * be found at 12 CFR part 326.
(1) For violations that occurred on or SUMMARY: The Federal Deposit
Insurance Corporation (‘‘FDIC’’) is I. Background
before November 2, 2015, $10,000 per
violation, up to a total of $50,000 per adopting a final rule to rescind and The Dodd-Frank Act
civil penalty action, in the case of an remove a part from the Code of Federal The Dodd-Frank Act provided for a
individual or small business concern, as Regulations entitled ‘‘Security substantial reorganization of the
defined in section 3 of the Small Procedures’’ and to amend FDIC regulation of State and Federal savings
Business Act (15 U.S.C. 632). For regulations to make the removed Office associations and their holding
violations that occurred after November of Thrift Supervision (‘‘OTS’’) companies. Beginning July 21, 2011, the
2, 2015, $13,333 per violation, up to a regulations applicable to State savings transfer date established by section 311
total of $66,666 per civil penalty action, associations. of the Dodd-Frank Act, codified at 12
in the case of an individual (except an DATES: The final rule is effective on May U.S.C. 5411, the powers, duties, and
airman serving as an airman), or a small 2, 2018. functions formerly performed by the
business concern. FOR FURTHER INFORMATION CONTACT: OTS were divided among the FDIC, as
(2) For violations that occurred on or Lauren Whitaker, Senior Attorney, to State savings associations, the Office
before November 2, 2015, $10,000 per Consumer Compliance Section, Legal of the Comptroller of the Currency
violation, up to a total of $400,000 per Division (202) 898–3872; Karen Jones (‘‘OCC’’), as to Federal savings
civil penalty action, in the case of any Currie, Senior Examination Specialist, associations, and the Board of
other person (except an airman serving Division of Risk Management and Governors of the Federal Reserve
as an airman) not operating an aircraft Supervision (202) 898–3981. System (‘‘FRB’’), as to savings and loan
for the transportation of passengers or holding companies. Section 316(b) of
SUPPLEMENTARY INFORMATION: Part 391,
property for compensation. For the Dodd-Frank Act, codified at 12
subpart A, was included in the
violations that occurred after November U.S.C. 5414(b), provides the manner of
regulations that were transferred to the
2, 2015, $13,333 per violation, up to a treatment for all orders, resolutions,
FDIC from the Office of Thrift
total of $533,324 per civil penalty determinations, regulations, and
Supervision (‘‘OTS’’) on July 21, 2011,
action, in the case of any other person advisory materials that had been issued,
in connection with the implementation
(except an airman serving as an airman) made, prescribed, or allowed to become
of applicable provisions of title III of the
not operating an aircraft for the effective by the OTS. This section
Dodd-Frank Wall Street Reform and
transportation of passengers or property provides that if such materials were in
Consumer Protection Act (‘‘Dodd-Frank
for compensation. effect on the day before the transfer
Act’’).1 With the exception of one
(3) For violations that occurred on or date, they continue to be in effect and
provision (§ 391.5) the requirements for
before November 2, 2015, $25,000 per are enforceable by or against the
State savings associations in part 391,
violation, up to a total of $400,000 per appropriate successor agency until they
subpart A, are substantively identical to
civil penalty action, in the case of a are modified, terminated, set aside, or
the requirements in the FDIC’s 12 CFR
person operating an aircraft for the superseded in accordance with
part 326 (‘‘part 326’’), which is entitled
transportation of passengers or property applicable law by such successor
‘‘Minimum Security Procedures.’’ The
for compensation (except an individual agency, by any court of competent
one exception directs savings
serving as an airman). For violations jurisdiction, or by operation of law.
associations to comply with appendix B
that occurred after November 2, 2015, Section 316(c) of the Dodd-Frank Act,
to subpart B of Interagency Guidelines
$33,333 per violation, up to a total of
daltland on DSKBBV9HB2PROD with RULES
Establishing Information Security codified at 12 U.S.C. 5414(c), further
$533,324 per civil penalty action, in the directed the FDIC and the OCC to
Standards (Interagency Guidelines)
case of a person (except an individual consult with one another and to publish
contained in FDIC rules at part 364,
serving as an airman) operating an a list of the continued OTS regulations
aircraft for the transportation of 1 Dodd-Frank Wall Street Reform and Consumer that would be enforced by the FDIC and
passengers or property for Protection Act, Public Law 111–203, 124 Stat. 1376
compensation. (2010) (codified at 12 U.S.C. 5301 et seq.). 2 80 FR 65907 (Oct. 28, 2015).
VerDate Sep<11>2014 16:23 Mar 30, 2018 Jkt 244001 PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 E:\FR\FM\02APR1.SGM 02APR1](https://thefederalregister.org/doc/83_FR_13902/page/1.svg)
![13840 Federal Register / Vol. 83, No. 63 / Monday, April 2, 2018 / Rules and Regulations
the OCC, respectively. On June 14, 2011, ‘‘Minimum Security Procedures,’’ a rule substantively the same as the FDIC’s
the FDIC’s Board of Directors approved governing FDIC oversight of security rules in part 326, subpart A.7
a ‘‘List of OTS Regulations to be devices and procedures to discourage In 2001, the FDIC, other Federal
Enforced by the OCC and the FDIC burglaries, robberies, and larcenies, and banking agencies, and the OTS issued
Pursuant to the Dodd-Frank Wall Street assist law enforcement in the Interagency Guidelines for Safeguarding
Reform and Consumer Protection Act.’’ identification and apprehension of those Customer Information pursuant to
This list was published by the FDIC and who commit such crimes with respect to section 501 of the Gramm Leach Bliley
the OCC as a Joint Notice in the Federal insured depository institutions for Act (‘‘Protection of Nonpublic Personal
Register on July 6, 2011.3 which the FDIC has been designated the Information’’).8 At the same time, the
Although section 312(b)(2)(B)(i)(II) of appropriate Federal banking agency. OTS added a provision at the end of its
the Dodd-Frank Act, codified at 12 One provision in part 391, subpart A, security procedures rules at section
U.S.C. 5412(b)(2)(B)(i)(II), granted the namely § 391.5, is not contained in part 568.5 directing saving associations and
OCC rulemaking authority relating to 326, subpart A. It directs savings certain subsidiaries to comply with
both State and Federal savings associations and certain subsidiaries to appendix B to the Interagency
associations, nothing in the Dodd-Frank comply with the Interagency Guidelines Guidelines. In a preamble footnote, the
Act affected the FDIC’s existing Establishing Information Security OTS indicated that the reason for the
authority to issue regulations under the Standards, which were adopted jointly additional provision to its minimum
FDI Act and other laws as the by the OTS and the FDIC and other security rules was ‘‘[b]ecause
‘‘appropriate Federal banking agency’’ banking agencies, and are contained in information security guidelines are
or under similar statutory terminology. appendix B to part 364 in FDIC similar to physical security
Section 312(c) of the Dodd-Frank Act regulations. procedures.’’ 9 In 2004, following
amended the definition of ‘‘appropriate After careful review and comparison enactment of the Fair and Accurate
Federal banking agency’’ contained in Credit Transactions Act (FACT Act), the
of part 391, subpart A, and part 326, the
section 3(q) of the FDI Act, 12 U.S.C. OTS, FDIC, and other banking agencies
FDIC is adopting a Final Rule to rescind
1813(q), to add State savings revised the Interagency Guidelines for
part 391, subpart A, because, as
associations to the list of entities for Safeguarding Customer Information and
discussed below, it is substantively
which the FDIC is designated as the renamed them the Interagency
redundant to existing part 326, and
‘‘appropriate Federal banking agency.’’ Guidelines for Establishing Information
simultaneously finalizes the technical
As a result, when the FDIC acts as the Security Standards. The Interagency
conforming edits to the FDIC’s existing
designated ‘‘appropriate Federal Guidelines were located in the FDIC
rule.
banking agency’’ (or under similar rules at part 364. In 2015, the FDIC
terminology) for State savings FDIC’s Existing 12 CFR Part 326 and amended part 364 to, among other
associations, as it does here, the FDIC is Former OTS’s Part 568 (Transferred to reasons, make it applicable to State
authorized to issue, modify, and rescind FDIC’s Part 391, Subpart A) savings associations.10 After careful
regulations involving such associations, comparison of the FDIC’s part 326,
as well as for State nonmember banks Section 3 of the Bank Protection Act
of 1968 directed the appropriate Federal subpart A, with the transferred OTS rule
and insured branches of foreign banks. in part 391, subpart A, the FDIC has
As noted, on June 14, 2011, pursuant banking agencies and the OTS’
predecessor, the Federal Home Loan concluded that the transferred OTS
to this authority, the FDIC’s Board of rules governing minimum security
Directors reissued and redesignated Bank Board (‘‘FHLBB’’), to establish
minimum security standards for banks procedures are substantively redundant.
certain transferring regulations of the
and savings associations, at reasonable Based on the foregoing, the FDIC is
former OTS. These transferred OTS
cost, to serve as a deterrent to robberies, adopting a Final Rule to rescind and
regulations were published as new FDIC
burglaries, and larcenies, and to assist remove from the Code of Federal
regulations in the Federal Register on
law enforcement in identifying and Regulations the transferred OTS rules
August 5, 2011.4 When it republished
prosecuting persons who commit such located at part 391, subpart A, and to
the transferred OTS regulations as new
acts.5 In the initial rulemakings, the make technical amendments to part 326,
FDIC regulations, the FDIC specifically
agencies consulted and cooperated with subpart A, to incorporate State savings
noted that its staff would evaluate the
each other to promote a goal of associations.
transferred OTS rules, and might later
recommend incorporating the uniformity where practicable. The II. The Proposed Rule
transferred OTS regulations into other initial minimum security rules were
Regarding the functions of the former
FDIC rules, amending them, or simultaneously issued in January 1969
OTS that were transferred to the FDIC,
rescinding them as appropriate. and were substantively the same.6
section 316(b)(3) of the Dodd-Frank Act,
One of the OTS rules transferred to In 1991, the minimum security rules 12 U.S.C. 5414(b)(3), in pertinent part,
the FDIC governed OTS oversight of were substantially revised to reduce provides that the former OTS’s
minimum security devices and unnecessary specificity, remove regulations will be enforceable by the
procedures for State savings obsolete requirements, and place greater FDIC until they are modified,
associations. The OTS rule, formerly responsibility on the boards of directors terminated, set aside, or superseded in
found at 12 CFR part 568, was of insured financial institutions for accordance with applicable law. After
transferred to the FDIC with only establishing and ensuring the reviewing the rules currently found in
nominal changes, and is now found in implementation and maintenance of part 391, subpart A, the FDIC issued a
the FDIC’s rules at part 391, subpart A, security programs and procedures. The Notice of Proposed Rulemaking (‘‘NPR’’
daltland on DSKBBV9HB2PROD with RULES
entitled ‘‘Security Procedures.’’ Before former FHLBB rules at 12 CFR part 563a or ‘‘Proposed Rule’’), which proposed to
the transfer of the OTS rules and were redesignated as 12 CFR part 568 by
continuing today, the FDIC’s rules the OTS. The OTS rules remained 7 56 FR 29565 (June 28, 1991); 56 FR 13579 (April
contained part 326, subpart A, entitled 3, 1991).
5 12 8 66 FR 8616 (Feb. 1, 2001).
U.S.C. 1882.
3 76 FR 39247 (July 6, 2011). 6 34 9 Id. at footnote 2.
FR 618 (January 16, 1969); 34 FR 621
4 76 FR 47652 (Aug. 5, 2011). (January 16, 1969). 10 80 FR 65903 (Oct. 28, 2015).
VerDate Sep<11>2014 16:23 Mar 30, 2018 Jkt 244001 PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 E:\FR\FM\02APR1.SGM 02APR1](https://thefederalregister.org/doc/83_FR_13902/page/2.svg)
![Federal Register / Vol. 83, No. 63 / Monday, April 2, 2018 / Rules and Regulations 13843
institution shall designate a security (iii) The distance of the banking office Supervision (‘‘OTS’’) on July 21, 2011,
officer who shall have the authority, from the nearest responsible law in connection with the implementation
subject to the approval of the board of enforcement officers; of applicable provisions of title III of the
directors, to develop, within a (iv) The cost of the security devices; Dodd-Frank Wall Street Reform and
reasonable time, but no later than 180 (v) Other security measures in effect Consumer Protection Act (‘‘Dodd-Frank
days, and to administer a written at the banking office; and Act’’). The requirements for State
security program for each banking (vi) The physical characteristics of the savings associations in part 390, subpart
office. structure of the banking office and its I are substantively similar to the
surroundings. requirements in the FDIC’s 12 CFR part
§ 326.3 Security program. 343 (‘‘part 343’’) which is also entitled
(a) Contents of security program. The § 326.4 Reports. ‘‘Consumer Protection in Sales of
security program shall: The security officer for each Insurance.’’
(1) Establish procedures for opening institution shall report at least annually The FDIC is adopting a final rule to
and closing for business and for the to the institution’s board of directors on rescind in its entirety part 390, subpart
safekeeping of all currency, negotiable the implementation, administration, and I and to modify the scope of part 343 to
securities, and similar valuables at all effectiveness of the security program. include State savings associations and
times; their subsidiaries to conform to and
(2) Establish procedures that will PART 391—[REMOVED AND reflect the scope of the FDIC’s current
assist in identifying persons committing RESERVED] supervisory responsibilities as the
crimes against the institution and that appropriate Federal banking agency.
■ 3. Under the authority of 12 U.S.C. The final rule also defines ‘‘FDIC-
will preserve evidence that may aid in 1819(a) Tenth, part 391, consisting of
their identification and prosecution; supervised insured depository
subpart A, is removed and reserved. institution or institution’’ and ‘‘State
such procedures may include, but are
not limited to: Dated at Washington, DC, on March 20, savings association.’’ In the final rule,
2018. the FDIC also transfers an anticoercion
(i) Retaining a record of any robbery,
burglary, or larceny committed against By order of the Board of Directors. and antitying provision from part 390,
the institution; Federal Deposit Insurance Corporation. subpart I that is applicable to State
(ii) Maintaining a camera that records Valerie J. Best, savings associations.
activity in the banking office; and Assistant Executive Secretary. Upon removal of part 390, subpart I,
(iii) Using identification devices, such [FR Doc. 2018–06161 Filed 3–30–18; 8:45 am]
the Consumer Protection in Sales of
as prerecorded serial-numbered bills, or Insurance regulations applicable for all
BILLING CODE 6714–01–P
chemical and electronic devices; insured depository institutions for
which the FDIC has been designated the
(3) Provide for initial and periodic
FEDERAL DEPOSIT INSURANCE appropriate Federal banking agency will
training of officers and employees in
CORPORATION be found at 12 CFR part 343.
their responsibilities under the security
program and in proper employee I. Background
conduct during and after a robbery, 12 CFR Parts 343 and 390
The Dodd-Frank Act
burglar or larceny; and RIN 3064–AE49
(4) Provide for selecting, testing, The Dodd-Frank Act 1 provided for a
operating and maintaining appropriate Removal of Transferred OTS substantial reorganization of the
security devices, as specified in Regulations Regarding Consumer regulation of State and Federal savings
paragraph (b) of this section. Protection in Sales of Insurance associations and their holding
(b) Security devices. Each institution companies. Beginning July 21, 2011, the
AGENCY: Federal Deposit Insurance transfer date established by section 311
shall have, at a minimum, the following
Corporation. of the Dodd-Frank Act, codified at 12
security devices:
(1) A means of protecting cash or ACTION: Final rule. U.S.C. 5411, the powers, duties, and
other liquid assets, such as a vault, safe, functions formerly performed by the
SUMMARY: The Federal Deposit OTS were divided among the FDIC, as
or other secure space; Insurance Corporation (‘‘FDIC’’) is
(2) A lighting system for illuminating, to State savings associations, the Office
adopting a final rule to rescind and of the Comptroller of the Currency
during the hours of darkness, the area remove from the Code of Federal
around the vault, if the vault is visible (‘‘OCC’’), as to Federal savings
Regulations the part entitled ‘‘Consumer associations, and the Board of
from outside the banking office; Protection in Sales of Insurance’’ and to Governors of the Federal Reserve
(3) An alarm system or other amend current FDIC regulations to make System (‘‘FRB’’), as to savings and loan
appropriate device for promptly them applicable to state savings holding companies. Section 316(b) of
notifying the nearest responsible law associations. the Dodd-Frank Act, codified at 12
enforcement officers of an attempted or
DATES: This final rule is effective on U.S.C. 5414(b), provides the manner of
perpetrated robbery or burglary;
May 2, 2018. treatment for all orders, resolutions,
(4) Tamper-resistant locks on exterior
FOR FURTHER INFORMATION CONTACT: determinations, regulations, and
doors and exterior windows that may be
Martha L. Ellett, Counsel, Legal advisory materials that had been issued,
opened; and
Division, (202) 898–6765; John made, prescribed, or allowed to become
(5) Such other devices as the security
Jackwood, Senior Policy Analyst, effective by the OTS. This section
officer determines to be appropriate,
daltland on DSKBBV9HB2PROD with RULES
Division of Depositor and Consumer provides that if such materials were in
taking into consideration:
Protection, (202) 898–3991. effect on the day before the transfer
(i) The incidence of crimes against
date, they continue to be in effect and
financial institutions in the area; SUPPLEMENTARY INFORMATION: Part 390,
(ii) The amount of currency or other subpart I was included in the 1 Dodd-Frank Wall Street Reform and Consumer
valuables exposed to robbery, burglary, regulations that were transferred to the Protection Act, Public Law 111–203, 124 Stat. 1376
and larceny; FDIC from the Office of Thrift (2010) (codified at 12 U.S.C. 5301 et seq.).
VerDate Sep<11>2014 16:23 Mar 30, 2018 Jkt 244001 PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 E:\FR\FM\02APR1.SGM 02APR1](https://thefederalregister.org/doc/83_FR_13902/page/5.svg)
Document Created: 2018-11-01 09:08:39
Document Modified: 2018-11-01 09:08:39
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | The final rule is effective on May 2, 2018. | |
| Contact | Lauren Whitaker, Senior Attorney, Consumer Compliance Section, Legal Division (202) 898-3872; Karen Jones Currie, Senior Examination Specialist, Division of Risk Management and Supervision (202) 898-3981. | |
| FR Citation | 83 FR 13839 | |
| RIN Number | 3064-AE47 | |
| CFR Citation | 12
CFR
326 12 CFR 391 | |
| CFR Associated | Banks; Banking; Minimum Security Procedures; Savings Associations and Security Procedures |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR