Skip to main content
OCC Flag

An official website of the United States government

OCC Bulletin 2001-35 | July 18, 2001

Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information: Examination Procedures

To

Chief Executive Officers of All National Banks, Federal Branches and Agencies, Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel

The attached interagency "Examination Procedures" continues to apply to federal savings associations.

Refer to the "Community Bank Supervision" booklet of the Comptroller's Handbook for the most recent information technology examination procedures for community banks.

This bulletin transmits examination procedures for reviewing a national bank’s compliance with "Guidelines Establishing Standards for Safeguarding Customer Information" (guidelines).  The guidelines were issued on February 15 in OCC 2001-8.  The guidelines are mandated by Section 501 of the Gramm–Leach–Bliley Act of 1999 (GLBA) and effective July 1.  The attached "Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information" are risk-based and allow examiners to tailor the examination scope according to the size and complexity of the bank, the nature and scope of its activities, and the level of risk assumed by the institution.  The examination procedures were developed through an interagency process and jointly adopted by the FDIC, OCC, OTS, and NCUA. 

Typically, OCC examiners will use these procedures in the OCC’s largest banks, banks with complex information technology (IT) environments, banks where significant information security concerns have been identified, or where less experienced examiners need more detailed guidance.  For community banks, the OCC has incorporated less detailed procedures in the Community Bank Supervision booklet of the Comptroller's Handbook.  The revised booklet, which will be reissued early in the third quarter of 2001, will include IT procedures that focus on the adequacy of a bank's risk management processes and controls to promote the integrity, availability and confidentiality of automated information and systems. Attached is an advance copy of the section on information technology that will appear in the forthcoming Community Bank Supervision booklet.  The sections in boldface type are examination objectives and procedures that are specifically related to complying with the guidelines.  When significant concerns or risks are identified, the examiners would expand their coverage to include the attached interagency examination procedures.

Questions regarding these examination procedures should be directed to your supervisory office or to the Bank Technology Division at (202) 649-6340.

Clifford A. Wilke
Director, Bank Technology Division

Related Links