The FDIC has mandated that financial institutions be compliant with the Fair and Accurate Credit Transactions Act of 2003 section 216 – ‘Guidelines Requiring the Proper Disposal of Consumer Information’. These guidelines have been in effect for financial institutions since 2005.
The Federal Deposit Insurance Corporation (FDIC) is an indepen-dent agency created by Congress to maintain stability and public confidence in the nation’s financial system. To accomplish this mission, the FDIC insures deposits; examines and supervises financial institutions for safety, soundness, and consumer protection; makes large and complex financial institutions resolvable; and man-ages receiverships.
Obligations Of Financial Institutions
FACTA guidelines require each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that it properly disposes of consumer information originating from a consumer report.
Consumer information is any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the institution for a business purpose.
Consumer information is also a compilation of such records. However, a record that does not identify an individual is not considered consumer information. Therefore, the guidelines do not apply to aggregate information.
In the performance of their business functions financial organizations will process records that identify an individual. Under FACTA, and required by the FDIC, these institutions must perform the following:
- Assess the risks to the consumer information handled by their organization.
- Evaluate security measures to control risks to consumer information.
- Design the information security programs to properly dispose of consumer records.
Failure to meet these directives will make an organization liable to statutory enforcement actions by the FDIC’s Enforcement Decisions & Orders (EDO) division. The statutory penalties assessed may include civil money penalty, removal/prohibition order, cease and desist or voluntary termination.
3rd Party Service Providers
Frequently, financial institutions will outsource functions of their data disposal process to third party service providers. A service provider is an entity that maintains, processes or otherwise is permitted access to customer information or consumer information through its performance of services to the bank . The guidelines direct financial institutions to require service providers by contract to implement appropriate measures designed to meet the FACTA obligations for the proper disposal of consumer information.
The FDIC and FACT require that any business that handles consumer information must take ‘reasonable measures’ to protect against unauthorized access or use of the consumer information. This includes and is not limited to:
- Any medium upon which physical and electronic consumer information was stored must be properly disposed of.
- Monitoring the disposal of electronic media and paper to ensure they cannot be read or reconstructed.
- Requiring that third party disposal companies be certified by a recognized trade association.
- Protect against the unauthorized and unintentional disposal of consumer information.
The FDIC guidelines do not recommend any specific form of data erasure but due to technological advances in data storage we recommend all erasure to be in compliance with NIST 800-88.
Complying with FDIC guidelines when managing and disposing of consumer data will limit your organization’s exposure to fines, data breaches and other regulatory issues. WipeDrive Enterprise is a proven software-based erasure tool that meets FDIC requirements for disposing of consumer data.
For more information on data security and data erasure products, please contact WipeDrive at 801.224.8900.