FACT Act : Record Retention and More

The proposal for the protection and destruction of information obtained from consumer reports is out. In some respects, there isn't much new or particularly burdensome about the proposal. The trick comes with the subtleties.

Two speakers at ABA's National Regulatory Conference ("NRC") discussed the issues of information retention. Peggy Twohig, Assistant Director in FTC's Division of Financial Practices, predicted that banks already in compliance with information security requirements of G-L-B will not face much that is new. The rule is expected to take the existing information security requirements into account and build around it. She predicts that the real burden will fall on non-banks.

Rick Fischer, partner in the law firm of Morrison and Foerster, was a bit more skeptical. Having guided the banking industry through previous developments in FCRA, he shared some additional advice. First, he warned that this new rule will have the effect of forcing the agencies to look harder at the G-L-B issues. As a result, higher expectations and standards may emerge through the examination process.

Agreeing in part with Twohig, Fischer observed that at certain of the typical information control points, the new rule may be a non-issue. Controls, together with a good handle on where, when, and how information flows, already exist.

But Fischer warned the audience that this information is now "radioactive" wherever it exists. Describing this information as radioactive is an excellent way to approach the problem. Clearly, a credit bureau report, whether an original or a copy, is subject to this rule. But so are pieces of information - such as the credit score or specific details about delinquencies - taken from it. And so is information obtained from the credit bureau after the account or loan is established. This information can end up in many places. If you think of it as glowing with a radioactive intensity, it may be easier to find and track. Failure to do so may result in a nuclear disaster.

Fischer advises institutions to develop procedures and information access authorities for all aspects of this information, including disposal of computers and laptops. The challenge is to determine all the places that the information exists, where and how it is being used, and how it is accessed and by whom.

The Proposed Rule
The agencies (OCC, FRB, FDIC, and OTS) have designed an information disposal rule that wraps around the existing G-L-B information security rule. Quickly summed up, the proposal would require institutions to establish appropriate controls for disposing of consumer information.

The proposal contains three elements that would be new to the information security rule. First, there is a definition of consumer information. Second, the rule would contain an objective of information disposal. Finally, institutions would be required to implement appropriate measures to dispose of consumer information.

Defining Consumer Information
The definition of "consumer information" is a bit tricky. The definition has to tie in to the FCRA definitions rather than the G-L-B definitions. The proposed definition is drawn from Section 603(c) of the FCRA and defines a consumer as an individual. The definition thus turns on "any record about an individual ... that is a consumer report or is derived from a consumer report ..."

By using the FCRA definition, the information disposal rules are triggered by the status of the individual about whom the information is reported rather than the nature of the transaction or the relationship between the consumer and the institution. This has significant differences from the G-L-B definitions which are based on the relationship of that individual to the institution as a consumer or as a customer.

The differences make sense from a regulatory perspective because of the language and purposes of the different source laws. However, from an implementation and management perspective, the differences will present enormous challenges.

Any information about the consumer that comes from the credit bureau report is subject to the record disposal rule. This includes information about the consumer, such as the credit score, the number of trades, and arguably even debt ratios if developed using credit bureau information. When the application is denied based on information in the credit bureau and the adverse action letter reflects this, the adverse action letter may also be subject to the disposal rule.

In order to manage compliance with this requirement, it will be necessary to follow the path of not just the credit report itself, but the many ways that information is taken from that report and placed in other documents or records.

The disposal rule does not reach information that is the result of direct dealings between the consumer and the institution. Records of payments on credit obligations or deposit account management would not be subject to this rule because the source of the information is not the credit bureau. Such information about the consumer's relationship with the institution is covered by G-L-B as customer information. Of course, the same information, if reported to a credit bureau and used by another institution would be covered as to that second institution.

The information retains its FACT Act disposal status when shared with affiliates. In short, the protected status runs with the information and is not transformed if moved through affiliated institutions.

The most significant limitation on the information status is that the rule would only apply to information that identifies the consumer. If the information is used in a way that severs its connection with the consumer, then it is no longer covered. This distinction is consistent with the act's purpose of minimizing opportunities for identity theft.

You may find that the easiest way to manage the G-L-B information security and FACT Act rules is to treat all information as subject to both rules.

Information Security
The proposal would build off of the existing GLB information security programs and require institutions to design, implement, and maintain an information security program. The program would have to include methods for disposal of consumer information.

As proposed, this would include a risk assessment of information security including risk related to the disposal of information. This should be considered in the context of information and identity theft.

The proposal simply requires institutions to have procedures for "proper disposal" of information. There is opportunity to comment on whether this guidance is sufficiently clear. Any comments suggesting that this standard is vague are likely to generate a more detailed (and more burdensome) rule.

Managing Contractors
As with G-L-B, the obligations fall on regulated institutions. Banks and other financial institutions will be expected to control the information security practices of their vendors through contracts. The proposal would give institutions one year to bring contracts and vendors into compliance. The agencies seek comment on whether one year is sufficient time.

Risk Management
As risk goes, this issue will score very high, no matter what size the institution or how complex the product and service issues. Consider this high risk in your comments and preparations.

ACTION STEPS

Review your existing policies and procedures for the terminology "consumer" and "customer." Get the policies and procedures clear and straight from the start.
Review your vendor contracts. Determine whether they are renewed annually or less frequently. Share that information in your comment letter.
Also review your vendor contracts for provisions that meet or fall short of these proposed requirements and figure out how much work there is to do to bring the contracts up to the proposal's standard.
Review your current methods for information disposal and consider how they measure up under the proposal. Include a trash can check.
Scan some customer files to identify all the ways that information from consumer reports is used in the file. Use this for comments and for developing a program.