OCC Bulletin 2005-1| January 12, 2005

Proper Disposal of Consumer Information: Final Rule


Chief Executive Officers of All National Banks, Federal Branches and Agencies, Service Providers, Software Vendors, Department and Division Heads, and All Examining Personnel

The guidance attached to this bulletin continues to apply to federal savings associations.

The attached final rule, issued jointly by the federal bank and thrift regulatory agencies, was published in the Federal Register on December 28, 2004 (69 FR 77610). The rule requires financial institutions to adopt measures for properly disposing of consumer information derived from credit reports.

The final rule implements section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) by amending the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (retitled by this rulemaking as the Interagency Guidelines Establishing Standards for Information Security). See, e.g., part 30, Appendix B (national banks). The final rule effectively requires a financial institution to dispose of "consumer information" in a manner consistent with the requirements in the guidelines that currently apply to the disposal of "customer information."

Under the final rule, financial institutions must make adjustments to their information security programs to properly dispose of "consumer information" that is not already protected as "customer information." This would include information from credit reports about a financial institution's employee or about a consumer whose application for a product or service is denied.

In addition, the final rule establishes a new part 41 to house the OCC's Fair Credit Reporting Act regulations, including a section requiring the proper disposal of consumer information that cross-references the guidelines.

The final rule will take effect on July 1, 2005.

For further information contact Bank Information Technology Operations (202) 649-6340.

Daniel P. Stipano
Acting Chief Counsel

Related Links