FR4100_20141126_omb

Supporting Statement for the
Recordkeeping and Disclosure Requirements Associated with the
Guidance on Response Programs for Unauthorized Access to Customer Information
(FR 4100; OMB No. 7100-0309)
Summary
The Board of Governors of the Federal Reserve System, under delegated authority from
the Office of Management and Budget (OMB), proposes to extend for three years, without
revision, the Recordkeeping and Disclosure Requirements Associated with the Guidance on
Response Programs for Unauthorized Access to Customer Information (ID-Theft Guidance;
FR 4100; OMB No. 7100-0309). The ID-Theft Guidance is the information collection
associated with the Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice (security guidelines), which was published in the
Federal Register in March 2005.1 Trends in customer information theft and the accompanying
misuse of that information led to the issuance of these security guidelines applicable to financial
institutions. The security guidelines are designed to facilitate timely and relevant notification to
affected customers and the appropriate regulatory authority (ARA) of the financial institutions.
The security guidelines provide specific direction regarding the development of response
programs and customer notifications. The annual burden for the ID-Theft Guidance is estimated
to be 5,892 hours.
Background and Justification
On March 29, 2005, the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Office of
Thrift Supervision, and National Credit Union Administration (collectively, the agencies),
published the security guidelines in the Federal Register. These security guidelines were
published to fulfill a requirement in section 501(b) of the Gramm-Leach-Bliley Act (GLBA) that
requires financial institutions2 to develop and implement an information security program
designed to protect their customers’ information.3 The ID-Theft Guidance describes the
required components of a response program and sets a standard for providing notice to customers
affected by unauthorized access to or use of customer information that could result in substantial
harm or inconvenience to those customers.

1

(70 FR 15736)
GLBA defines Federal Reserve-regulated institutions as: State member banks (SMBs), bank holding companies
(BHCs), affiliates and certain non-bank subsidiaries of bank holding companies, uninsured state agencies and
branches of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and
agreement corporations. Based on the Board of Governors of the Federal Reserve System 96th Annual Report
2009there are: 5,634.U.S. BHCs, 878 State member banks, 225 Branches & agencies of foreign banks, 2
Commercial lending companies, and 67 Edge and agreement corporations.
3
The agencies may treat an institution’s failure to implement the requirements in the ID-Theft guidance as a
violation of the § 501(b) guidelines or as an unsafe or unsound practice within the meaning of 12 U.S.C. 1786 or
1818.
2

The ID-Theft Guidance states that:
an institution should notify affected customers when it becomes aware of unauthorized
access to “sensitive customer information” unless the institution, after an appropriate
investigation, reasonably concludes that misuse is unlikely to occur and takes appropriate
steps to safeguard the interests of affected customers, including monitoring affected
customers’ accounts for unusual or suspicious activity.
For the purposes of the ID-Theft Guidance, the agencies define sensitive customer information to
mean a customer’s social security number, personal identification number, or account number, in
conjunction with a personal identifier, such as the individual’s name, address, or telephone
number. Sensitive customer information also includes any combination of components of
customer information that would allow someone to log onto or access another person’s account,
such as user name and password.
The ID-Theft Guidance provides that an expected component of a financial institution’s
incident response program is notifying its ARA upon becoming aware of an incident of
unauthorized access to sensitive customer information. The ID-Theft Guidance leaves the form
and content of regulatory notice to the discretion of the subject financial institution. Reserve
Banks use such notifications to monitor the institution’s implementation of the ID-Theft
Guidance, and thus, enhance the supervision of individual institutions. Further, information
collected from notices permit improved monitoring of security and ID-theft related trends in the
industry, and thus, enhance the development of future supervisory guidance. While each agency
participated in the issuance of the ID-Theft Guidance, each agency independently implemented
the guidance and communicated that implementation with the institutions under their respective
primary jurisdiction.
Description of Information Collection
Response Program
The ID-Theft Guidance states that every financial institution develop a response program
to protect against and address reasonably foreseeable risks associated with internal and external
threats to the security of customer information. The ID-Theft Guidance further describes the
components of a response program, which includes procedures for notifying customers about
incidents of unauthorized access to or use of customer information that could result in substantial
harm or inconvenience to the customer. It also provides that a financial institution is expected to
expeditiously implement its response program to address incidents of unauthorized access to
customer information.
A response program should contain policies and procedures that enable the financial
institution to:
 Assess the situation to determine the nature and scope of the incident, and identify the
information systems and types of customer information affected;
 Notify the institution’s ARA and, in accordance with applicable regulations and
2





guidance, file a Suspicious Activity Report (SAR; FR 2230; OMB No. 7100-0212) and
notify appropriate law enforcement agencies;
Take measures to contain and control the incident to prevent further unauthorized access
to or misuse of customer information, including shutting down particular applications or
third party connections, reconfiguring firewalls, changing computer access codes, and
modifying physical access controls; and
Notify customers when warranted.

Where an incident of unauthorized access to customer information involves customer
information systems maintained by an institution's service providers, it is the responsibility of the
financial institution to notify the institution's customers and regulator. However, an institution
may authorize or contract with its service provider to notify the institution's customers or
regulator on its behalf.
Notification Requirements
The ID-Theft Guidance provides that a financial institution should notify each affected
customer when it becomes aware of an incident of unauthorized access to sensitive customer
information, unless the institution can reasonably conclude that the information will not be
misused.
Customer notice should be given in a clear and conspicuous manner. The notice should
describe the incident in general terms and the type of customer information that was the subject
of unauthorized access or use. It also should generally describe what the institution has done to
protect the customers' information from further unauthorized access. In addition, it should
include a telephone number that customers can call for further information and assistance. The
notice also should remind customers of the need to remain vigilant over the next 12 to 24 months
and to promptly report incidents of suspected identity theft to the institution. The notice should
include the following additional items, when appropriate:
 A recommendation that the customer review account statements and immediately report
any suspicious activity to the institution;
 A description of fraud alerts and an explanation of how the customer may place a fraud
alert in the customer's consumer reports to put the customer's creditors on notice that the
customer may be a victim of fraud;
 A recommendation that the customer periodically obtain credit reports from each
nationwide credit reporting agency and have information relating to fraudulent
transactions deleted;
 An explanation of how the customer may obtain a credit report free of charge; and
 Information about the availability of the Federal Trade Commission’s (FTC's) online
guidance regarding steps a consumer can take to protect against identity theft. The notice
should encourage the customer to report any incidents of identity theft to the FTC and
should provide the FTC's Web site address and toll-free telephone number that customers

3

may use to obtain the identity theft guidance and report suspected incidents of identity
theft.4
Time Schedule for Information Collection
The ID-Theft Guidance provides that a financial institution is expected to expeditiously
implement its response program to address incidents of unauthorized access to customer
information. The guidance provides that a financial institution should notify its designated
Reserve Bank upon becoming aware of an incident of unauthorized access to sensitive customer
information. It also provides that a financial institution should notify each affected customer of
an incident of unauthorized access to sensitive customer information when the institution
determines that misuse of such information has occurred or that misuse is reasonably possible.
Sensitive Questions
This collection of information contains no questions of a sensitive nature, as defined by
OMB guidelines.
Consultation Outside the Agency
Representatives from the agencies responsible for the recordkeeping and disclosure
requirements associated with the ID-Theft Guidance have reviewed their respective information
collections and agreed that revisions to the collections are not necessary at this time. On October
29, 2014, the Federal Reserve published a notice in the Federal Register (79 FR 64388)
requesting public comment for 60 days on the extension, without revision, of the FR 4100. The
comment period for this notice expired on December 29, 2014. The Federal Reserve did not
receive any comments. On February 2, 2015, the Federal Reserve published a final notice in the
Federal Register (80 FR 5531), extending the information collection for three years as proposed.
Legal Status
The Board's Legal Division has determined that the recordkeeping and disclosure
requirements associated with the FR 4100 are authorized by the GLBA and are mandatory (15
U.S.C. § 6801(b)). Since the Board does not collect information associated with the FR 4100,
any issue of confidentiality would not generally be an issue. However, confidentiality may arise
if the Board were to obtain a copy of a customer notice during the course of an examination or
were to receive a copy of a SAR. In such cases the information would be exempt from
disclosure to the public under the Freedom of Information Act (5 U.S.C 552(b)(3), (4), and (8)).
Also, a federal employee is prohibited by law from disclosing a SAR or the existence of a SAR
(31 U.S.C. 5318(g)).

4

Currently, the FTC Web site for the ID Theft brochure and the FTC Hotline phone number are
http://www.ftc.gov/bcp/edu/microsites/idtheft/ and 1-877-IDTHEFT, respectively. The institution may also refer customers to
any materials developed pursuant to section 151(b) of the FACT Act (educational materials developed by the FTC to teach the
public how to prevent identity theft).

4

Estimate of Respondent Burden
The total annual burden for the FR 4100 is estimated to be 5,892 hours, as shown in the
table below. The ID-Theft Guidance requires financial institutions to develop and maintain a
response program to address unauthorized access to customer information maintained by the
institution or its service providers. Based on 2013 data, staff estimates that 19 new institutions
would take, on average, 24 hours (3 business days) to implement its response program. On a
continuing basis, burden associated with maintenance of the response program is considered
negligible. For each qualifying incident the ID-Theft Guidance requires financial institutions to
prepare and send notices to its federal regulator, affected customers, and service providers. The
Federal Reserve estimates that 151 financial institutions5 would take on average 36 hours (4.5
business days) per incident to prepare and send notifications. The burden estimate does not
include time for financial institutions to adjust their contracts with service providers, if needed;
nor for service providers to disclose information pursuant to the ID-Theft Guidance. The
recordkeeping and disclosure requirements represent less than 1 percent of total Federal Reserve
System paperwork burden.
Number
of
respondents

Estimated
annual
frequency

Estimated
average
time per
response

Estimated
annual
burden
hours

19

1

24 hours

456

151

1

36 hours

5,436

Recordkeeping:
Develop response program
Disclosure:
Incident notification

5,892

Total
The total cost to the public is estimated to be $299,903.6
Estimate of Cost to the Federal Reserve System

The annual cost to the Federal Reserve System for processing this information collection
is negligible.
5
Based on data from the Federal Reserve System Security Incident Notification System (SINS) database, BS&R
staff determined that during 2013, 43 SMBs and 108 BHCs filed incident notifications with the Federal Reserve
System, affected customers, and service providers.
6
Total cost to the public was estimated using the following formula: percent of staff time, multiplied by annual
burden hours, multiplied by hourly rates (30% Office & Administrative Support at $18, 45% Financial Managers at
$61, 15% Lawyers at $63, and 10% Chief Executives at $86). Hourly rate for each occupational group are the
(rounded) mean hourly wages from the Bureau of Labor and Statistics (BLS), Occupational Employment and Wages
2013, www.bls.gov/news.release/ocwage.nr0.htm. Occupations are defined using the BLS Occupational
Classification System, www.bls.gov/soc/

5