Guidance Issued on Response Programs for Unauthorized Access to Customer Information and Customer Notice
December 7, 2005
Circular No. 11752

To All Depository Institutions and Others Concerned
in the Second Federal Reserve District:

A joint Supervision and Regulation and Consumer Affairs Letter from the Board of Governors of the Federal Reserve System establishes the Federal Reserve’s expectations for financial institutions and supervisory personnel with respect to the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Guidance).

The Guidance, which has been effective since March 29, 2005, interprets the Interagency Guidelines Establishing Information Security Standards (Security Guidelines) and states that each financial institution should implement a response program to address unauthorized access to customer information maintained by the institution or its service providers.

The Guidance describes the components of a response program, including procedures to notify customers about incidents that involve unauthorized access to sensitive customer information.

When evaluating the adequacy of a financial institution’s information security program required by the Security Guidelines, the Federal Reserve will consider whether the bank has developed and implemented a response program including notification procedures as described in the Guidance.  An institution’s response program should contain procedures for the following:

  • assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused,
  • notifying the institution’s primary federal regulator as soon as possible once the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information,
  • complying with applicable suspicious activity reporting regulations and guidance to ensure appropriate law enforcement authorities are notified in a timely manner,
  • taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing or closing affected accounts, and
  • notifying customers as soon as possible when it is determined that misuse of sensitive customer information has occurred or is reasonably possible.

Read the SR/CA letter and interagency guidance below for complete details.

SR 05-23/CA 05-10 ››  OFFSITE
Interagency guidance ›› OFFSITE OFFSITE

Thomas Oravez
Assistant Vice President
Risk Management
(212) 720-2118

John Ricketti
Vice President
Risk Management
(212) 720-2192

William L. Rutledge
Executive Vice President