Agency Information Collection Activities: Announcement of Board Approval Under Delegated Authority and Submission to OMB

AGENCY:

Board of Governors of the Federal Reserve System.

SUMMARY:

The Board of Governors of the Federal Reserve System (Board) is adopting a proposal to extend for three years, without revision the Reporting, Recordkeeping, and Disclosure Provisions Associated with the Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (FR 4100; OMB No. 7100-0309).

FOR FURTHER INFORMATION CONTACT:

Federal Reserve Board Clearance Officer—Nuha Elmaghrabi—Office of the Chief Data Officer, Board of Governors of the Federal Reserve System, Washington, DC 20551, (202) 452-3829. Office of Management and Budget (OMB) Desk Officer—Shagufta Ahmed—Office of Information and Regulatory Affairs, Office of Management and Budget, New Executive Office Building, Room 10235, 725 17th Street NW, Washington, DC 20503, or by fax to (202) 395-6974.

SUPPLEMENTARY INFORMATION:

On June 15, 1984, OMB delegated to the Board authority under the PRA to approve and assign OMB control numbers to collections of information conducted or sponsored by the Board. Board-approved collections of information are incorporated into the official OMB inventory of currently approved collections of information. The OMB inventory, as well as copies of the PRA Submission, supporting statements, and approved collection of information instrument(s) are available at https://www.reginfo.gov/public/do/PRAMain. These documents are also available on the Federal Reserve Board's public website at https://www.federalreserve.gov/apps/reportforms/review.aspx or may be requested from the agency clearance officer, whose name appears above.

Final Approval Under OMB Delegated Authority of the Extension for Three Years, Without Revision, of the Following Information Collection

Report title: Reporting, Recordkeeping, and Disclosure Provisions Associated with the Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

Agency form number: FR 4100.

OMB control number: 7100-0309.

Frequency: On occasion.

Respondents: State member banks, bank holding companies (BHCs), affiliates and certain non-banking subsidiaries of BHCs, uninsured state agencies and branches of foreign banks, commercial lending companies owned or controlled by foreign banks, savings and loan holding companies, and Edge and agreement corporations.

Estimated number of respondents: Recordkeeping, 1; Reporting, 831; Disclosure, 831.

Estimated average hours per response: Recordkeeping, 24 hours; Reporting, 9 hours; Disclosure, 27 hours.

Estimated annual burden hours: Recordkeeping, 24 hours; Reporting, 7,479 hours; Disclosure, 22,437 hours.

General description of report: The FR 4100 is the Board's information collection associated with the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“ID-Theft Guidance” or “Guidance”). The ID-Theft Guidance was published in the Federal Register in March 2005. The ID-Theft Guidance, which applies to financial institutions, was issued in response to developing trends in the theft and accompanying misuse of customer information. The Guidance includes certain voluntary reporting, recordkeeping, and disclosure provisions.

Legal authorization and confidentiality: The FR 4100 is authorized by section 501(b) of the Gramm-Leach-Bliley Act, which requires the Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency to establish appropriate standards for financial institutions to develop and implement an information security program designed to protect their customers' information and a response program that specifies actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems.

Because the provisions under the FR 4100 are contained in guidance, which is nonbinding, the provisions are voluntary.

The disclosure provisions of FR 4100 are not confidential. The records maintained under recordkeeping provisions of FR 4100 would be maintained at each banking organization, and the Freedom of Information Act (“FOIA”) would only be implicated if the Board obtained such records as part of the examination or supervision of a banking organization. In the event the records are obtained by the Board as part of an examination or supervision of a financial institution, this information may be considered confidential pursuant to exemption 8 of the FOIA, which protects information contained in “examination, operating, or condition reports” obtained in the bank supervisory process. In addition, the information obtained by the Board under the FR 4100 may also be kept confidential under exemption 4 for the FOIA, which protects commercial or financial information obtained from a person that is privileged or confidential.

Current actions: On October 14, 2020, the Board published a notice in the Federal Register (85 FR 65046) requesting public comment for 60 days on the extension, without revision, of the Reporting, Recordkeeping, and Disclosure Provisions Associated with the Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The comment period for this notice expired on December 14, 2020. The Board did not receive any comments.