AGENCY:

Federal Deposit Insurance Corporation.

ACTION:

Final rule.

SUMMARY:

The Federal Deposit Insurance Corporation (“FDIC”) is adopting a final rule to rescind and remove a part from the Code of Federal Regulations entitled “Security Procedures” and to amend FDIC regulations to make the removed Office of Thrift Supervision (“OTS”) regulations applicable to State savings associations.

DATES:

The final rule is effective on May 2, 2018.

FOR FURTHER INFORMATION CONTACT:

Lauren Whitaker, Senior Attorney, Consumer Compliance Section, Legal Division (202) 898-3872; Karen Jones Currie, Senior Examination Specialist, Division of Risk Management and Supervision (202) 898-3981.

SUPPLEMENTARY INFORMATION:

Part 391, subpart A, was included in the regulations that were transferred to the FDIC from the Office of Thrift Supervision (“OTS”) on July 21, 2011, in connection with the implementation of applicable provisions of title III of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”).^[1] With the exception of one provision (§ 391.5) the requirements for State savings associations in part 391, subpart A, are substantively identical to the requirements in the FDIC's 12 CFR part 326 (“part 326”), which is entitled “Minimum Security Procedures.” The one exception directs savings associations to comply with appendix B to subpart B of Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) contained in FDIC rules at part 364, appendix B. The FDIC previously revised part 364 to make the Interagency Guidelines applicable to both State nonmember banks and State savings associations.^[2]

The FDIC is adopting a final rule (“Final Rule”) to rescind in its entirety part 391, subpart A and to modify the scope of part 326 to include State savings associations to conform to and reflect the scope of the FDIC's current supervisory responsibilities as the appropriate Federal banking agency. The FDIC is also adding definitions of “FDIC-supervised insured depository institution or institution” and “State savings association.” Upon removal of part 391, subpart A, the Security Procedures, regulations applicable for all insured depository institutions for which the FDIC has been designated the appropriate Federal banking agency will be found at 12 CFR part 326.

I. Background

The Dodd-Frank Act

The Dodd-Frank Act provided for a substantial reorganization of the regulation of State and Federal savings associations and their holding companies. Beginning July 21, 2011, the transfer date established by section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the powers, duties, and functions formerly performed by the OTS were divided among the FDIC, as to State savings associations, the Office of the Comptroller of the Currency (“OCC”), as to Federal savings associations, and the Board of Governors of the Federal Reserve System (“FRB”), as to savings and loan holding companies. Section 316(b) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provides the manner of treatment for all orders, resolutions, determinations, regulations, and advisory materials that had been issued, made, prescribed, or allowed to become effective by the OTS. This section provides that if such materials were in effect on the day before the transfer date, they continue to be in effect and are enforceable by or against the appropriate successor agency until they are modified, terminated, set aside, or superseded in accordance with applicable law by such successor agency, by any court of competent jurisdiction, or by operation of law.

Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(c), further directed the FDIC and the OCC to consult with one another and to publish a list of the continued OTS regulations that would be enforced by the FDIC and Start Printed Page 13840the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors approved a “List of OTS Regulations to be Enforced by the OCC and the FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act.” This list was published by the FDIC and the OCC as a Joint Notice in the Federal Register on July 6, 2011.^[3]

Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking authority relating to both State and Federal savings associations, nothing in the Dodd-Frank Act affected the FDIC's existing authority to issue regulations under the FDI Act and other laws as the “appropriate Federal banking agency” or under similar statutory terminology. Section 312(c) of the Dodd-Frank Act amended the definition of “appropriate Federal banking agency” contained in section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State savings associations to the list of entities for which the FDIC is designated as the “appropriate Federal banking agency.” As a result, when the FDIC acts as the designated “appropriate Federal banking agency” (or under similar terminology) for State savings associations, as it does here, the FDIC is authorized to issue, modify, and rescind regulations involving such associations, as well as for State nonmember banks and insured branches of foreign banks.

As noted, on June 14, 2011, pursuant to this authority, the FDIC's Board of Directors reissued and redesignated certain transferring regulations of the former OTS. These transferred OTS regulations were published as new FDIC regulations in the Federal Register on August 5, 2011.^[4] When it republished the transferred OTS regulations as new FDIC regulations, the FDIC specifically noted that its staff would evaluate the transferred OTS rules, and might later recommend incorporating the transferred OTS regulations into other FDIC rules, amending them, or rescinding them as appropriate.

One of the OTS rules transferred to the FDIC governed OTS oversight of minimum security devices and procedures for State savings associations. The OTS rule, formerly found at 12 CFR part 568, was transferred to the FDIC with only nominal changes, and is now found in the FDIC's rules at part 391, subpart A, entitled “Security Procedures.” Before the transfer of the OTS rules and continuing today, the FDIC's rules contained part 326, subpart A, entitled “Minimum Security Procedures,” a rule governing FDIC oversight of security devices and procedures to discourage burglaries, robberies, and larcenies, and assist law enforcement in the identification and apprehension of those who commit such crimes with respect to insured depository institutions for which the FDIC has been designated the appropriate Federal banking agency. One provision in part 391, subpart A, namely § 391.5, is not contained in part 326, subpart A. It directs savings associations and certain subsidiaries to comply with the Interagency Guidelines Establishing Information Security Standards, which were adopted jointly by the OTS and the FDIC and other banking agencies, and are contained in appendix B to part 364 in FDIC regulations.

After careful review and comparison of part 391, subpart A, and part 326, the FDIC is adopting a Final Rule to rescind part 391, subpart A, because, as discussed below, it is substantively redundant to existing part 326, and simultaneously finalizes the technical conforming edits to the FDIC's existing rule.

FDIC's Existing 12 CFR Part 326 and Former OTS's Part 568 (Transferred to FDIC's Part 391, Subpart A)

Section 3 of the Bank Protection Act of 1968 directed the appropriate Federal banking agencies and the OTS' predecessor, the Federal Home Loan Bank Board (“FHLBB”), to establish minimum security standards for banks and savings associations, at reasonable cost, to serve as a deterrent to robberies, burglaries, and larcenies, and to assist law enforcement in identifying and prosecuting persons who commit such acts.^[5] In the initial rulemakings, the agencies consulted and cooperated with each other to promote a goal of uniformity where practicable. The initial minimum security rules were simultaneously issued in January 1969 and were substantively the same.^[6]

In 1991, the minimum security rules were substantially revised to reduce unnecessary specificity, remove obsolete requirements, and place greater responsibility on the boards of directors of insured financial institutions for establishing and ensuring the implementation and maintenance of security programs and procedures. The former FHLBB rules at 12 CFR part 563a were redesignated as 12 CFR part 568 by the OTS. The OTS rules remained substantively the same as the FDIC's rules in part 326, subpart A.^[7]

In 2001, the FDIC, other Federal banking agencies, and the OTS issued Interagency Guidelines for Safeguarding Customer Information pursuant to section 501 of the Gramm Leach Bliley Act (“Protection of Nonpublic Personal Information”).^[8] At the same time, the OTS added a provision at the end of its security procedures rules at section 568.5 directing saving associations and certain subsidiaries to comply with appendix B to the Interagency Guidelines. In a preamble footnote, the OTS indicated that the reason for the additional provision to its minimum security rules was “[b]ecause information security guidelines are similar to physical security procedures.” ^[9] In 2004, following enactment of the Fair and Accurate Credit Transactions Act (FACT Act), the OTS, FDIC, and other banking agencies revised the Interagency Guidelines for Safeguarding Customer Information and renamed them the Interagency Guidelines for Establishing Information Security Standards. The Interagency Guidelines were located in the FDIC rules at part 364. In 2015, the FDIC amended part 364 to, among other reasons, make it applicable to State savings associations.^[10] After careful comparison of the FDIC's part 326, subpart A, with the transferred OTS rule in part 391, subpart A, the FDIC has concluded that the transferred OTS rules governing minimum security procedures are substantively redundant. Based on the foregoing, the FDIC is adopting a Final Rule to rescind and remove from the Code of Federal Regulations the transferred OTS rules located at part 391, subpart A, and to make technical amendments to part 326, subpart A, to incorporate State savings associations.

II. The Proposed Rule

Regarding the functions of the former OTS that were transferred to the FDIC, section 316(b)(3) of the Dodd-Frank Act, 12 U.S.C. 5414(b)(3), in pertinent part, provides that the former OTS's regulations will be enforceable by the FDIC until they are modified, terminated, set aside, or superseded in accordance with applicable law. After reviewing the rules currently found in part 391, subpart A, the FDIC issued a Notice of Proposed Rulemaking (“NPR” or “Proposed Rule”), which proposed to Start Printed Page 13841(1) rescind part 391, subpart A, in its entirety; (2) modify the scope of part 326, subpart A, to include State savings associations and their subsidiaries to conform to and reflect the scope of FDIC's current supervisory responsibilities as the appropriate Federal banking agency for State savings associations; (3) delete the definition of “insured nonmember bank” and replace it with a definition of “FDIC-supervised insured depository institution or institution,” which means “any State nonmember insured bank or State savings association for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q))”; (4) add a new subsection (i), which would define “State savings association” as having “the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act (12 U.S.C. 1813(b)(3))”; and (5) make conforming technical edits throughout, including replacing the term “bank” with “FDIC-supervised insured depository institution” or “institution”. Under the Proposed Rule, oversight of minimum security procedures in part 326, subpart A, would apply to all FDIC-supervised institutions, including State savings associations, and part 391, subpart A, would be removed because it is largely redundant of the rules found in part 326. Rescinding part 391, subpart A, will serve to streamline the FDIC's rules and eliminate unnecessary regulations.

III. Comments

The FDIC issued the NPR with a 60-day comment period, which closed on January 3, 2017. The FDIC received no comments on its Proposed Rule, and consequently the Final Rule is adopted as proposed without any changes.

IV. Explanation of the Final Rule

As discussed in the NPR, with the exception of one provision (§ 391.5), the requirements for State savings associations in part 391, subpart A, are substantively identical to the requirements in the FDIC's 12 CFR part 326 (“part 326”). The one exception directs savings associations to comply with appendix B to subpart B of Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) contained in FDIC rules at part 364, appendix B. The FDIC previously revised part 364 to make the Interagency Guidelines applicable to both State nonmember banks and State savings associations. The designation of part 326 as a single authority regarding security standards and procedures will serve to streamline the FDIC's rules and eliminate unnecessary regulations. To that effect, the Final Rule removes and rescinds 12 CFR part 391, subpart A, in its entirety.

Consistent with the Proposed Rule, the Final Rule modifies the scope of part 326, subpart A, to include State savings associations and their subsidiaries to conform to and reflect the scope of FDIC's current supervisory responsibilities as the appropriate Federal banking agency for State savings associations. The Final Rule also deletes the definition of “insured nonmember bank” and replaces it with a definition of “FDIC-supervised insured depository institution or institution,” which means “any State nonmember insured bank or State savings association for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q)).” Additionally, the Final Rule adds a new subsection (i), which would define “State savings association” as having “the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act (12 U.S.C. 1813(b)(3)) and makes conforming technical edits throughout, including replacing the term “bank” with “FDIC-supervised insured depository institution” or “institution”.

V. Regulatory Analysis and Procedure

A. The Paperwork Reduction Act

In accordance with the requirements of the Paperwork Reduction Act (“PRA”) of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (“OMB”) control number.

The Final Rule would rescind and remove part 391, subpart A, from the FDIC regulations. This rule was transferred with only nominal changes to the FDIC from the OTS when the OTS was abolished by title III of the Dodd-Frank Act. Part 391, subpart A, is substantively similar to the FDIC's existing part 326, subpart A, regarding oversight of minimum security procedures for depository institutions with the exception of one provision at the end of part 391, subpart A, which directs savings associations to comply with Interagency Guidelines, which are located in Appendix B to part 364. In 2015, the FDIC proposed and finalized revisions to part 364 that made part 364, including the Interagency Guidelines in Appendix B, applicable to State savings associations as well as State nonmember banks.

The Final Rule also (1) amends part 326, subpart A to include State savings associations and their subsidiaries within its scope; (2) defines “FDIC-supervised insured depository institution or institution” and “State savings association”; and (3) makes conforming technical edits throughout. These measures clarify that State savings associations, as well as State nonmember banks, are subject to part 326, subpart A. With respect to part 326, subpart A, the Final Rule does not revise any existing, or create any new information collection pursuant to the PRA. Consequently, no submission has been made to the Office of Management and Budget for review.

B. The Regulatory Flexibility Act

The Regulatory Flexibility Act requires an agency to consider the impact that a final rule will have on small entities (defined in regulations promulgated by the Small Business Administration to include banking organizations with total assets of less than or equal to $550 million).^[11] However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities, and publishes its certification and a short explanatory Statement in the Federal Register together with the rule. For the reasons provided below, the FDIC certifies that the Final Rule would not have a significant economic impact on a substantial number of small entities.

As discussed in the NPR, part 391, subpart A, was transferred from OTS part 568, which governed minimum security procedures for depository institutions. The initial minimum security rules, though issued separately by the agencies, were all published in January 1969. The OTS rule, part 568, had been in effect since 1991 and all State savings associations were required to comply with it. Because it is substantially the same as existing part 326, subpart A of the FDIC's rules and therefore redundant, the FDIC is adopting a final rule to rescind and remove the transferred regulation now located in part 391, subpart A. As a result, all FDIC-supervised institutions—including State savings associations and their subsidiaries—would be required to comply with the minimum security procedures in part 326, subpart A. Because all State savings associations and their subsidiaries have Start Printed Page 13842been required to comply with nearly identical security procedures rules since 1969, the Final Rule would not place additional requirements or burdens on any State savings association irrespective of its size. Therefore, the Final Rule would not have a significant impact on a substantial number of small entities.

C. Small Business Regulatory Enforcement Fairness Act

The Office of Management and Budget has determined that the Final Rule is not a “major rule” within the meaning of the Small Business Regulatory Enforcement Fairness Act of 1996 (“SBREFA”), 5 U.S.C. 801 et seq. As required by SBREFA, the FDIC will submit the Final Rule and other appropriate reports to Congress and the Government Accountability Office for review.

D. Plain Language

Section 722 of the Gramm-Leach- Bliley Act, codified at 12 U.S.C. 4809, requires each Federal banking agency to use plain language in all of its proposed and final rules published after January 1, 2000. In the NPR, the FDIC invited comments on whether the Proposed Rule was clearly stated and effectively organized, and how the FDIC might make it easier to understand. Although the FDIC did not receive any comments, the FDIC sought to present the Final Rule in a simple and straightforward manner.

D. The Economic Growth and Regulatory Paperwork Reduction Act

Under section 2222 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (“EGRPRA”), the FDIC is required to review all of its regulations, at least once every 10 years, in order to identify any outdated or otherwise unnecessary regulations imposed on insured institutions.^[12] The FDIC, along with the other Federal banking agencies, submitted a Joint Report to Congress on March 21, 2017 (“EGRPRA Report”) discussing how the review was conducted, what has been done to date to address regulatory burden, and further measures we will take to address issues that were identified.^[13] As noted in the EGRPRA Report, the FDIC is continuing to streamline and clarify its regulations through the OTS rule integration process. By removing outdated or unnecessary regulations, such as part 391, subpart A, and modifying the Minimum Security Procedures, this rule complements other actions the FDIC has taken, separately and with the other Federal banking agencies, to further the EGRPRA mandate.

E. Riegle Community Development and Regulatory Improvement Act of 1994

The Riegle Community Development and Regulatory Improvement Act of 1994 (RCDRIA) requires the FDIC, in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on insured depository institutions, consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that such regulations would place on depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of such regulations. In addition, new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on insured depository institutions generally must take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form.^[14] The final rule includes no new reporting, disclosure, or other new requirements on insured depository institutions. Therefore, the final rule is not subject to the requirements of the statute.

List of Subjects

12 CFR Part 326

• Banks
• Banking
• Minimum security procedures
• Savings associations

12 CFR Part 391

• Security procedures

Authority and Issuance

For the reasons stated in the preamble, the Board of Directors of the Federal Deposit Insurance Corporation amends 12 CFR parts 326 and 391 as follows:

PART 326—MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY ACT ^[1] COMPLIANCE

1. The authority citation for part 326 continues to read as follows:

Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1881-1883; 31 U.S.C. 5311-5314 and 5316-5332.2.

2. Revise subpart A to read as follows:

Subpart A—Minimum Security Procedures

PART 391—[REMOVED AND RESERVED]

3. Under the authority of 12 U.S.C. 1819(a) Tenth, part 391, consisting of subpart A, is removed and reserved.

Footnotes