Agencies Adopt Guidelines for Customer Information Security

January 17, 2001

The federal bank and thrift regulatory agencies have sent to the Federal Register joint guidelines for safeguarding confidential customer information. The guidelines implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), and will be effective on July 1, 2001.

The report to Congress, required by the Gramm-Leach-Bliley Act, called for continued research and, most importantly, continued evaluation of financial institution supervisors' experience in using information derived from voluntarily issued subordinated debt. Virtually all of the largest banking organizations already issue subordinated debt. The agencies monitor subordinated debt yields and issuance patterns in evaluating the condition of large depository institution organizations.

The GLBA requires the agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information. These safeguards are to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of these records, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer.

The guidelines require financial institutions to establish an information security program to: (1) identify and assess the risks that may threaten customer information; (2) develop a written plan containing policies and procedures to manage and control these risks; (3) implement and test the plan; and (4) adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security. Each institution may implement a security program appropriate to its size and complexity and the nature and scope of its operations.

The guidelines outline specific security measures that institutions should consider in implementing a security program. A financial institution must adopt those security measures determined to be appropriate.

The guidelines also outline responsibilities of directors of financial institutions in overseeing the protection of customer information. The board of directors should oversee an institution's efforts to develop, implement, and maintain an effective information security program and approve written information security policies and programs.

The guidelines require financial institutions to oversee their service provider arrangements in order to protect the security of customer information maintained or processed by service providers. Each institution must exercise due diligence in selecting its service providers, and require its service providers by contract to implement security measures that safeguard customer information. Where indicated by an institution's risk assessment, the institution must also monitor its service providers by reviewing audits, summaries of test results, or other equivalent evaluation of its service providers, to confirm that they have satisfied their contractual obligations.

Attachment (176 KB PDF)

Source: Federal Reserve Board

Contact ALTA at 202-296-3671 or

SoftPro, based in Raleigh, NC, offers a mature suite of products, designed specifically for the closing and title industry. Our mission is to serve our client base, with best-in-class products and services. Our products are modular so we don't force you to buy anything you don't need. You can always add on as your business grows. Unlike other software companies, we view the sale as the beginning of the relationship rather than the end. North American Title Insurance Company (NATIC) is a seasoned title insurance underwriter, helping title agents to achieve their individual business goals for more than 50 years. Today, the company conducts real estate settlement services in 39 states and the District of Columbia through a network of experienced, independent agents.