FR4100_20210221_omb

Supporting Statement for the
Reporting, Recordkeeping, and Disclosure Provisions Associated with the
Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice
(FR 4100; OMB No. 7100-0309)
Summary
The Board of Governors of the Federal Reserve System (Board), under authority
delegated by the Office of Management and Budget (OMB), has extended for three years,
without revision, the Reporting, Recordkeeping, and Disclosure Provisions Associated with the
Guidance on Response Programs for Unauthorized Access to Customer Information and
Customer Notice (FR 4100; OMB No. 7100-0309). The FR 4100 is the Board’s information
collection associated with the Interagency Guidance on Response Programs for Unauthorized
Access to Customer Information and Customer Notice (ID-Theft Guidance or Guidance). The
ID-Theft Guidance was published in the Federal Register in March 2005.1
The ID-Theft Guidance, which applies to financial institutions, was issued in response to
developing trends in the theft and accompanying misuse of customer information. The Guidance
includes certain voluntary reporting, recordkeeping, and disclosure provisions. With respect to
entities supervised by the Board, the Guidance applies to state member banks, bank holding
companies (BHCs), affiliates and certain non-banking subsidiaries of BHCs, uninsured state
agencies and branches of foreign banks, commercial lending companies owned or controlled by
foreign banks, savings and loan holding companies (SLHCs), and Edge and agreement
corporations.
The estimated total annual burden for the FR 4100 is 29,940 hours. There is no formal
reporting form for this collection of information (the FR 4100 designation is for internal
purposes only).
Background and Justification
On February 1, 2001, the Board, Federal Deposit Insurance Corporation, Office of the
Comptroller of the Currency, and Office of Thrift Supervision (OTS)2 (collectively, the agencies)
published the Interagency Guidelines Establishing Standards for Safeguarding Customer
Information (Security Guidelines),3 which were published to fulfill a requirement in section
501(b) of the Gramm-Leach-Bliley Act (GLBA) that requires the agencies to establish
appropriate standards for financial institutions to develop and implement an information security
program designed to protect their customers’ information and a response program that specifies
actions to be taken when the institution suspects or detects that unauthorized individuals have
gained access to customer information systems. To address the need for additional interpretive
1

See 70 FR 15736 (March 29, 2005).
The Dodd-Frank Wall Street Reform and Consumer Protection Act transferred the powers and duties of the OTS to
the Board, Federal Deposit Insurance Corporation, Consumer Financial Protection Bureau, and Office of the
Comptroller of the Currency, and the OTS was abolished.
3
See 66 FR 8615 (February 1, 2001).
2

guidance regarding section 501(b) of GLBA and the Security Guidelines, on March 29, 2005, the
agencies adopted the ID-Theft Guidance. The ID-Theft Guidance sets forth guidelines for how
financial institutions should provide notice to customers affected by unauthorized access to or
use of customer information that could result in substantial harm or inconvenience to those
customers and describes the suggested components of a response program for such incidents.
The ID-Theft Guidance states that an institution should notify affected customers as soon
as possible when it becomes aware of unauthorized access to “sensitive customer information” if
the institution determines that misuse of its information about a customer has occurred or is
reasonably possible and should take appropriate steps to safeguard the interests of affected
customers, including monitoring affected customers’ accounts for unusual or suspicious activity.
For the purposes of the ID-Theft Guidance, the agencies define sensitive customer
information to mean a customer’s social security number, driver’s license number, account
number, credit or debit card number, or a personal identification number or password, in
conjunction with a personal identifier, such as the individual’s name, address, or telephone
number. Sensitive customer information also includes any combination of components of
customer information that would allow someone to log on to or access the customer’s account,
such as user name and password.
The ID-Theft Guidance provides that a suggested component of a financial institution’s
incident response program is notifying its appropriate regulatory authority (ARA) upon
becoming aware of an incident of unauthorized access to or use of sensitive customer
information. The ID-Theft Guidance leaves the form and content of regulatory notice to the
discretion of the subject financial institution. Reserve Banks use such notifications to monitor the
institution’s implementation of the ID-Theft Guidance, and thus enhance the supervision of
individual institutions. Further, information collected from notices permits improved monitoring
of security and ID-theft related trends in the industry, and thus enhances the development of
future supervisory guidance and, more generally, informs the Board’s cyber security program.
Description of Information Collection
Develop Response Program
The Security Guidelines require that every financial institution develop a response
program to protect against and address reasonably foreseeable risks associated with internal and
external threats to the security of customer information. The ID-Theft Guidance describes the
suggested components of a response program, which include procedures for notifying customers
about incidents of unauthorized access to, or use of, customer information that could result in
substantial harm or inconvenience to the customer.
The ID-Theft Guidance also provides that a financial institution is expected to
expeditiously implement its response program to address incidents of unauthorized access to
customer information. A response program should contain policies and procedures that enable
the financial institution to:
• Assess the situation to determine the nature and scope of the incident, and identify the

2

•
•

•

information systems and types of customer information affected,
Notify the institution’s ARA and, in accordance with applicable regulations and
guidance, file a Suspicious Activity Report (SAR; FR 2230; OMB No. 7100-0212) and
notify appropriate law enforcement agencies,
Take measures to contain and control the incident to prevent further unauthorized access
to or misuse of customer information, including shutting down particular applications or
third party connections, reconfiguring firewalls, changing computer access codes, and
modifying physical access controls, and
Notify customers when warranted.

Under the ID-Theft Guidance, where an incident of unauthorized access to customer
information involves customer information systems maintained by an institution’s service
providers, it is suggested that the financial institution notify the institution’s customers and
regulator. However, an institution may authorize or contract with its service provider to notify
the institution’s customers or regulator on its behalf.
Incident Notification
The ID-Theft Guidance provides that a financial institution should notify each affected
customer as soon as possible when it becomes aware of an incident of unauthorized access to
sensitive customer information if the institution determines that misuse of its information about a
customer has occurred or is reasonably possible.
Customer notice should be given in a clear and conspicuous manner. The notice should
describe the incident in general terms and the type of customer information that was the subject
of unauthorized access or use. It also should generally describe what the institution has done to
protect the customers’ information from further unauthorized access. In addition, it should
include a telephone number that customers can call for further information and assistance. The
notice also should remind customers of the need to remain vigilant over the next 12 to 24 months
and to promptly report incidents of suspected identity theft to the institution. The notice should
include the following additional items, when appropriate:
• A recommendation that the customer review account statements and immediately report
any suspicious activity to the institution,
• A description of fraud alerts and an explanation of how the customer may place a fraud
alert in the customer’s consumer reports to put the customer’s creditors on notice that the
customer may be a victim of fraud,
• A recommendation that the customer periodically obtain credit reports from each
nationwide credit reporting agency and have information relating to fraudulent
transactions deleted,
• An explanation of how the customer may obtain a credit report free of charge, and
• Information about the availability of the Federal Trade Commission’s (FTC’s) online
guidance regarding steps a consumer can take to protect against identity theft. The notice
should encourage the customer to report any incidents of identity theft to the FTC and
should provide the FTC’s website address and toll-free telephone number that customers

3

may use to obtain the identity theft guidance and report suspected incidents of identity
theft.4
The ID-Theft Guidance also encourages financial institutions to notify the nationwide
consumer reporting agencies prior to sending notices to a large number of customers that include
contact information for the reporting agencies
Respondent Panel
The FR 4100 respondents consist of the following Board-regulated financial institutions:
state member banks, BHCs, affiliates and certain non-banking subsidiaries of BHCs, uninsured
state agencies and branches of foreign banks, commercial lending companies owned or
controlled by foreign banks, SLHCs, and Edge and agreement corporations.
Time Schedule for Information Collection
The ID-Theft Guidance provides that a financial institution is expected to expeditiously
implement its response program to address incidents of unauthorized access to customer
information. The guidance provides that a financial institution regulated by the Board should
notify its designated Reserve Bank upon becoming aware of an incident of unauthorized access
to sensitive customer information. It also provides that a financial institution should notify each
affected customer of an incident of unauthorized access to sensitive customer information when
the institution determines that misuse of such information has occurred or that misuse is
reasonably possible.
Public Availability of Data
There is no data related to this information collection available to the public.
Legal Status
The FR 4100 is authorized by section 501(b) of the GLBA (15 U.S.C. § 6801(b)), which
requires the Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the
Currency to establish appropriate standards for financial institutions to develop and implement
an information security program designed to protect their customers’ information and a response
program to that specify actions to be taken when the institution suspects or detects that
unauthorized individuals have gained access to customer information systems. Because the
provisions under the FR 4100 are contained in guidance, which is nonbinding, the provisions are
voluntary.5
The disclosure provisions of FR 4100 are not confidential. The records maintained under
4

Currently, the FTC website for ID Theft information is https://www.consumer.ftc.gov/features/feature-0014identity-theft. The institution may also refer customers to any materials developed pursuant to section 151(b) of the
Fair and Accurate Credit Transactions Act (FACT Act), which are educational materials developed by the FTC to
teach the public how to prevent identity theft.
5
See SR 18-5 / CA 18-7: Interagency Statement Clarifying the Role of Supervisory Guidance (September 11, 2018);
https://www.federalreserve.gov/supervisionreg/srletters/sr1805.htm.

4

recordkeeping provisions of FR 4100 would be maintained at each banking organization, and the
Freedom of Information Act (FOIA) would only be implicated if the Board obtained such
records as part of the examination or supervision of a banking organization. In the event the
records are obtained by the Board as part of an examination or supervision of a financial
institution, this information would be considered confidential pursuant to exemption 8 of the
FOIA, which protects information contained in “examination, operating, or condition reports”
obtained in the bank supervisory process. In addition, the information obtained by the Board
under the FR 4100 may also be kept confidential under exemption 4 for the FOIA, which
protects commercial or financial information obtained from a person that is privileged or
confidential (5 U.S.C. § 552(b)(4)).
Consultation Outside the Agency
Representatives from the Board, Federal Deposit Insurance Corporation, and Office of
the Comptroller of the Currency responsible for the reporting, recordkeeping, and disclosure
requirements associated with the ID-Theft Guidance have reviewed their respective information
collections and agreed that no revisions to the collections are necessary at this time.
Public Comments
On October 14, 2020, the Board published an initial notice in the Federal Register
(85 FR 65046) requesting public comment for 60 days on the extension, without revision, of the
FR 4100. The comment period for this notice expired on December 14, 2020. The Board did not
receive any comments. On February 16, 2021, the Board published a final notice in the Federal
Register (86 FR 9506).
Estimate of Respondent Burden
As shown in the table below, the estimated total annual burden for the FR 4100 is 29,940
hours. The Security Guidelines require financial institutions to develop and maintain a response
program to address unauthorized access to customer information maintained by the institution or
its service providers, and the ID-Theft Guidance sets forth the suggested components of such a
program. Staff estimates that 1 new institution per year would take 24 hours on average to
develop its response program. On a continuing basis, burden associated with maintenance of the
response program is considered negligible. For each incident of unauthorized access to or use of
customer information, the ID-Theft Guidance suggests that a financial institution prepare and
send a notice to its federal regulator, affected customers, and service providers. The Board
estimates that financial institutions6 will prepare and send 831 notifications per year, with an
estimated 36 hours per incident.7 These reporting, recordkeeping, and disclosure provisions
represent less than 1 percent of the Board’s total paperwork burden.
6

Based on data from the Federal Reserve System Cyber Event Repository (CER) database, Supervision and
Regulation staff determined that from 2017-2019, an average of 831 incident notifications were filed each year with
the Federal Reserve System, affected customers, and service providers.
7
Per the March 29, 2005, Federal Register notice, the Board considers incident notification to be the responsibility
of the financial institution. If the financial institution chooses to have a service provider disclose information on
their behalf that burden is considered part of Incident Notification as shown in the burden table.

5

FR 4100

Estimated
number of
respondents8

Annual
frequency

Estimated
average hours
per response

Estimated
annual burden
hours

831

1

9

7,479

1

1

24

24

831

1

27

22,437

Reporting
Incident notification to the
Board
Recordkeeping
Develop response program
Disclosure
Incident notification to
customers and service
providers
Total

29,940

The estimated total annual cost to the public for the FR 4100 is $1,729,035.9
Sensitive Questions
This collection of information contains no questions of a sensitive nature, as defined by
OMB guidelines.
Estimate of Cost to the Federal Reserve System
The estimated annual cost to the Federal Reserve System for processing this information
collection is negligible.

8

Of these respondents, 36 are considered small entities as defined by the Small Business Administration (i.e.,
entities with less than $600 million in total assets), https://www.sba.gov/document/support--table-size-standards.
There are no special accommodations given to mitigate the burden on small institutions. When promulgating the
Guidance, the agencies determined not to exempt small institutions from the Guidance. However, the agencies noted
that an institution’s program will vary depending on the size and complexity of the institution and the nature and
scope of its activities.
9
Total cost to the public was estimated using the following formula: percent of staff time, multiplied by annual
burden hours, multiplied by hourly rates (30% Office & Administrative Support at $20, 45% Financial Managers at
$71, 15% Lawyers at $70, and 10% Chief Executives at $93). Hourly rates for each occupational group are the
(rounded) mean hourly wages from the Bureau of Labor and Statistics (BLS), Occupational Employment and Wages
May 2019, published March 31, 2020, https://www.bls.gov/news.release/ocwage.t01.htm. Occupations are defined
using the BLS Standard Occupational Classification System, https://www.bls.gov/soc/.

6