SUPPORTING STATEMENT
NOTICE REGARDING UNAUTHORIZED ACCESS
TO CUSTOMER INFORMATION
(OMB Control No. 3064-0145)
INTRODUCTION
The FDIC is requesting OMB approval for a three-year extension, without change in the method or substance of collection, to continue the information collection requirements contained in the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice published jointly by the FDIC, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency. The information collection expires on April 30, 2022.
JUSTIFICATION
Circumstances that make the collection necessary:
The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice describes the Agencies’ expectations regarding a response program, including customer notification procedures, that a financial institution should develop and apply under the circumstances described in the Guidance to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. The Guidance advises financial institutions when and how they might develop and adopt policies and procedures regarding unauthorized access to customer information. The guidance also states that "an institution should notify affected customers when it becomes aware of unauthorized access to sensitive customer information unless the institution, after an appropriate investigation, reasonably concludes that misuse is unlikely to occur and takes appropriate steps to safeguard the interests of affected customers, including monitoring affected customers' accounts for unusual or suspicious activity."
Use of information collected:
The collection is intended to help financial institutions develop administrative, technical, and physical safeguards to: (1) insure the security and confidentiality of customer records and information; (2) protect against anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
A response program, of which this collection is a critical part, contains policies and procedures that enable the financial institution to: (a) assess the situation to determine the nature and scope of the incident, and identify the information systems and types of customer information affected; (b) notify the institution’s primary Federal regulator and, in accordance with applicable regulations and guidance, file a Suspicious Activity Report and notify appropriate law enforcement agencies; (c) take measures to contain and control the incident to prevent further unauthorized access to or misuse of customer information, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls; and (d) address and mitigate harm to individual customers.
Consideration of the use of improved information technology:
Institutions are free to use whatever methods are the least burdensome to them for sending the necessary information to the FDIC.
Efforts to identify duplication:
There is no duplication. Each respondent is encouraged to adopt policies and procedures appropriate to their particular circumstances, level of complexity and size.
Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities:
The information collection is not expected to have a significant impact on a substantial number of small entities. Each respondent is encouraged to adopt policies and procedures appropriate to their particular circumstances, level of complexity and size.
Consequences to the Federal program if the collection were conducted less frequently:
The FDIC believes that less frequent collection (a less stringent disclosure standard) would result in unacceptable risk of harm to customers of financial institutions.
Special circumstances necessitating collection inconsistent with 5 CFR Part 1320.5(d)(2):
None. The information is collected in a manner consistent with 5 CFR Part 1320.5(d)(2).
Efforts to consult with persons outside the agency:
A 60-day notice seeking public comment on the FDIC’s renewal of the information collection was published on January 13, 2022 (87 FR 2155). One comment was received, but it did not address the substance of this information collection.
Payment or gift to respondents:
Not applicable.
Any assurance of confidentiality:
Any information deemed to be of a confidential nature would be exempt from public disclosure in accordance with the provisions of the Freedom of Information Act (5 U.S.C. 552).
Justification for questions of a sensitive nature:
The information collection does not request information of a sensitive nature.
Summary of Estimated Annual Burden (OMB No. 3064-0145) |
|||||
Information collection description |
Type of burden (obligation to respond) |
Frequency of response |
Number of respondents |
Hours per response |
Annual burden (hours) |
Implementation (One Time) |
|||||
Develop Policies and Procedures for Response Program |
Recordkeeping (Required) |
1 |
10 |
24 |
240 |
Ongoing |
|||||
Notice Regarding Unauthorized Access to Customer Information |
Third Party Disclosure (Required) |
On occasion |
315 |
36 |
11,340 |
Total Annual Burden (Hours) |
11,580 |
||||
Source: FDIC. |
|||||
Total estimated annual burden hours: 11,580
Total estimated annual cost: 11,580 hours x $92.83 = $1,074,971
Summary of Hourly Burden Cost Estimate (OMB No. 3064-0145) |
|||
Estimated category of personnel responsible for complying with the PRA |
Total estimated hourly compensation |
Estimated weights |
Estimated total weighted labor cost component |
Executives and managers* |
$131.09 |
10% |
$13.11 |
Lawyers** |
$156.79 |
15% |
$23.52 |
Compliance Officers*** |
$69.38 |
15% |
$10.41 |
IT Specialists**** |
$96.71 |
20% |
$19.34 |
Financial Analysts***** |
$84.43 |
25% |
$21.11 |
Office and Administrative Support Occupations****** |
$35.62 |
15% |
$5.34 |
Weighted Average Wage |
100% |
$92.83 |
|
Source: Bureau of Labor Statistics: "National Industry-Specific Occupational Employment and Wage Estimates: Industry: Credit Intermediation and Related Activities (5221 And 5223 only)" (May 2020), Employer Cost of Employee Compensation (June 2021), Consumer Price Index (June 2021). * Occupation (SOC Code): Management Occupations (110000) ** Occupation (SOC Code): Legal Occupations (230000) *** Occupation (SOC Code): Compliance Officers (131040) **** Occupation (SOC Code): Computer and Mathematical Occupations (150000) ***** Occupation (SOC Code): Financial and Investment Analysts, Financial Risk Specialists, and Financial Specialists, All Other (132098) ****** Occupation (SOC Code): Office and Administrative Support Occupations (430000)
|
|||
Estimate of start-up cost to respondents:
There are no anticipated capital, start-up, or operating costs.
Estimates of annualized cost to the federal government:
None.
Analysis of change in burden:
There is no change in the method or substance of the collection. The overall increase in burden hours (from 11,388 hours to 11,580 hours) is the result of economic fluctuation. In particular, the number of respondents has increased while the hours per response and frequency of responses have remained the same.
Information regarding collections whose results are planned to be published for statistical use:
The information contained in this collection is not published.
Exceptions to expiration date display:
Not applicable.
Exceptions to certification:
None.
STATISTICAL METHODS
Statistical methods are not employed in this collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2022-03-22 |