Skip to Content

Proposed Rule

Transferred OTS Regulations Regarding Electronic Operations

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Deposit Insurance Corporation.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

In this notice of proposed rulemaking, the Federal Deposit Insurance Corporation (“FDIC”) proposes to rescind and remove regarding electronic operations which were transferred to the FDIC from the Office of Thrift Supervision (“OTS”) on July 21, 2011, in connection with the implementation of applicable provisions of Title III of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). There is no corresponding FDIC Electronic Operations rule and the rule is deemed obsolete and unnecessary. Therefore, the FDIC proposes to rescind and remove the regulations.

DATES:

Comments must be received on or before September 19, 2014.

ADDRESSES:

You may submit comments by any of the following methods:

  • FDIC Web site: http://www.fdic.gov/​regulations/​laws/​federal/​. Follow instructions for submitting comments on the agency Web site.
  • FDIC Email: Comments@fdic.gov. Include RIN 3064-AE19 on the subject line of the message.
  • FDIC Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street NW., Washington, DC 20429.
  • Hand Delivery to FDIC: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street building (located on F Street) on business days between 7 a.m. and 5 p.m.

Please include your name, affiliation, address, email address, and telephone number(s) in your comment. Where appropriate, comments should include a short Executive Summary consisting of no more than five single-spaced pages. All statements received, including attachments and other supporting materials, are part of the public record and are subject to public disclosure. You should submit only information that you wish to make publicly available.

Please note:

All comments received will be posted generally without change to http://www.fdic.gov/​regulations/​laws/​federal/​, including any personal information provided. Paper copies of public comments may be requested from the Public Information Center by telephone at 1-877-275-3342 or 1-703-562-2200.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Frederick Coleman, Division of Risk Management Supervision, (703) 254-0452; Martha L. Ellett, Legal Division, (202) 898-6765; Jennifer Maree, Legal Division, (202) 898-6543.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

The Dodd-Frank Act

Title III of the Dodd-Frank Act [1] provided for a substantial reorganization of the regulation of State and Federal savings associations and their holding companies. Beginning July 21, 2011, the transfer date established by section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the powers, duties, and functions formerly performed by the OTS were divided among the FDIC, as to State savings associations, the Office of the Comptroller of the Currency (“OCC”), as to Federal savings associations, and the Board of Governors of the Federal Reserve System (“FRB”), as to savings and loan holding companies. Section 316(b) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provides the manner of treatment for all orders, resolutions, determinations, regulations, and advisory materials that had been issued, made, prescribed, or allowed to become effective by the OTS. The section provides that if such materials were in effect on the day before the transfer Start Printed Page 42232date, they continue to be in effect and are enforceable by or against the appropriate successor agency until they are modified, terminated, set aside, or superseded in accordance with applicable law by such successor agency, by any court of competent jurisdiction, or by operation of law.

Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(c), further directed the FDIC and the OCC to consult with one another and to publish a list of the continued OTS regulations which would be enforced by the FDIC and the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors approved a “List of OTS Regulations to be Enforced by the OCC and the FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act.” This list was published by the FDIC and the OCC as a Joint Notice in the Federal Register on July 6, 2011.[2]

Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking authority relating to both State and Federal savings associations, nothing in the Dodd-Frank Act affected the FDIC's existing authority to issue regulations under the Federal Deposit Insurance Act (“FDI Act”) and other laws as the “appropriate Federal banking agency” or under similar statutory terminology. Section 312(c) of the Dodd-Frank Act amended the definition of “appropriate Federal banking agency” contained in section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State savings associations to the list of entities for which the FDIC is designated as the “appropriate Federal banking agency.” As a result, when the FDIC acts as the designated “appropriate Federal banking agency” (or under similar terminology) for State savings associations, as it does here, the FDIC is authorized to issue, modify and rescind regulations involving such associations, as well as for State nonmember banks and insured branches of foreign banks.

As noted, on June 14, 2011, operating pursuant to this authority, the FDIC's Board of Directors reissued and redesignated certain transferring OTS regulations. These transferred OTS regulations were published as new FDIC regulations in the Federal Register on August 5, 2011.[3] When it republished the transferred OTS regulations as new FDIC regulations, the FDIC specifically noted that its staff would evaluate the transferred OTS rules and might later recommend incorporating the transferred OTS regulations into other FDIC rules, amending them, or rescinding them, as appropriate.

One of the OTS rules transferred to the FDIC requires State savings associations to notify the FDIC at least 30 days before establishing a transactional Web site. The OTS rule, formerly found at 12 CFR part 555, subpart B (“part 555, subpart B”), was transferred to the FDIC with only technical changes and is now found in the FDIC's rules at part 390, subpart L, entitled “Electronic Operations.” The FDIC has no such corresponding rule. After careful review of part 390, subpart L, the FDIC proposes to rescind part 390, subpart L, because, as discussed below, it is obsolete, unnecessary, and burdensome.

Former OTS Part 555, Subpart B (Transferred to FDIC Part 390, Subpart L)

On January 1, 1999, part 555, subpart B became effective and was among the regulations that were transferred to the FDIC from the OTS on July 21, 2011, pursuant to the Dodd-Frank Act. This rule required savings associations to file a written notice with the OTS at least 30 days before establishing a transactional Web site. The OTS enacted the Electronic Operations rule unilaterally. Neither the FDIC, nor the Office of the Comptroller of the Currency (“OCC”),[4] nor the Board of Governors of the Federal Reserve System (“FRB”) has a regulatory notice requirement similar to the Electronic Operations rule that requires insured depository institutions (“IDIs”) to notify the FDIC if they intend to establish transactional Web sites.

In issuing its Electronic Operations rule, the OTS sought to “monitor adequately savings associations' technological innovations and to assess security, compliance, and privacy risks.” [5] The OTS reasoned that the notice requirement would aid the agency in assisting savings associations “that are contemplating or already conducting Internet operations to identify and address the risks that accompany such activities” and would “help institutions avoid problems and protect consumers.” [6] At the time, the OTS concluded that a requirement that each savings association must provide advance notice to the OTS of the association's intent to establish a transactional Web site would assist the OTS in evaluating safety and soundness, compliance, and other risks.

Significantly, the OTS noted that “[a]s technologies mature and the industry and OTS gain additional experience, the OTS may revise the rule to no longer require notice before establishing a transactional Web site.” [7] In a 2001 review of its regulations regarding electronic delivery of financial products and services, the OTS suggested that a goal of the Electronic Operations rule was to impose a notice requirement in lieu of specific operational standards as the least burdensome way to regulate savings associations. The OTS also stated that it “designed its regulations to help ensure that it would have sufficient information to understand developing technologies, to provide appropriate guidance on these technologies, and to supervise electronic operations effectively.” [8]

After careful consideration of the former OTS's general prior notice requirement, the FDIC has reached the same conclusion it has in the past, particularly in light of continuing advancements in electronic banking and related technology. Specifically, the FDIC concludes there is no supervisory value in a requirement that an IDI give prior notification to the FDIC about its establishment of a transactional Web site. Given the rapid evolution, innovation and current state of technological products and interfaces with customers, the FDIC relies on dynamic, in-depth supervisory means to evaluate an IDI's information technology (“IT”) systems. Instead of a general notice requirement for the establishment of a transactional Web site, the FDIC has developed and relies upon more useful and ongoing sources of information to evaluate the financial condition, risks and regulatory compliance by FDIC-supervised institutions. Prior notification that an institution is establishing a transactional Web site is an outdated and unnecessary requirement.

Currently, the FDIC receives information about an IDI's IT systems, including its transactional Web sites, from various examinations and other sources of information that render a general prior notice requirement such as the former OTS rule for savings Start Printed Page 42233associations, outdated and unnecessary for the FDIC's supervisory purposes of risk management and compliance. For example, the FDIC's IT pre-examination questionnaire to IDIs requires information about the IDI's technological developments, including whether there were any changes in technology that were implemented since the previous FDIC examination.

Changes in technology include, for example, any “new service provider relationships, new software applications and/or service offerings.” [9] The IT pre-examination questionnaire also asks whether the IDI plans to “deploy new technology within the next 12 months,” which would include the implementation of a transactional Web site. If the answer is “yes,” the questionnaire asks whether the risks associated with the new technology were reviewed by the IDI during the institution's most recent risk assessment.[10] The FDIC then reviews the IDI's risk assessment at each examination. The questionnaire also asks whether the IDI has “identified and reported its service provider relationships (both domestic and foreign-based) to the FDIC,” [11] which would include those with Technology Service Providers (“TSPs”). This information is also required to be reported by the IDI to the FDIC pursuant to the Bank Service Company Act (“BSCA”).[12]

As part of its examination process, the FDIC also monitors technology developments and TSPs. In periodic on-site IT examinations, FDIC examiners obtain information regarding the establishment of transactional Web sites and any other technological developments the institution has implemented. Through the Federal Financial Institutions Examination Council (“FFIEC”), the FDIC, jointly with other Federal banking agencies, also participates in examinations of all of the major TSPs. In these examinations, the FDIC obtains customer lists of all financial institutions that have contracted for services from the particular service provider, including TSPs. These lists are more up to date than a point-in-time notice that the Electronic Operations rule offers and they also provide the FDIC with notice of any changes in TSPs.

During the FDIC's compliance examinations, IDIs are also routinely examined for compliance with applicable consumer protection laws and regulations, such as the Truth in Lending Act, Regulation Z; the Electronic Funds Transfer Act, Regulation E; the Equal Credit Opportunity Act, Regulation B; the Truth in Savings Act, Regulation DD; and Section 5 of the Federal Trade Commission Act that prohibits unfair or deceptive acts or practices. These examinations address any problems IDIs may have with the adequacy of consumer disclosures, among other things.

In addition, the BSCA requires IDIs to provide written notice to the FDIC (or other appropriate Federal banking agency) of the existence of third-party service relationships “within thirty days after the making of such service contract or the performance of the service, whichever occurs first.” [13] The BSCA covers services performed by third parties, including TSPs and the FDIC has long interpreted the BSCA to include within its scope Internet banking service providers.[14]

Specific and ongoing information obtained and evaluated by the FDIC through the IT pre-examination questionnaire, on-site IT examinations, TSP examinations and compliance examinations as well as the BSCA notice better enables the FDIC to evaluate existing or potential safety and soundness and compliance concerns. The FDIC's IT examination process renders a general, point-in-time notice such as that required by the OTS's Electronic Operations rule, to be unnecessary. The rule is inefficient and unnecessarily burdensome, and it should be eliminated.

In its supplemental notice of proposed rulemaking, the OTS expressed concerns regarding the safety of Internet banking and protecting customers' privacy in support of its rule.[15] However, these supervisory concerns have been addressed elsewhere, rendering the Electronic Operations rule superfluous. For example, in 2005 and most recently updated in 2011, the FDIC, with the other FFIEC agencies, issued guidance that describes supervisory expectations regarding customer authentication for high-risk transactions, layered security programs, and other controls related to Internet banking.[16] The guidance includes regulatory expectations about enhanced authentication methods banks must use when authenticating the identity of customers using on-line products and services, the need for layered security, and minimum control expectations for certain online banking activities.

In addition, 12 CFR part 364, appendix B (“part 364, appendix B”) to the FDIC regulations, which implements the Graham-Leach-Bliley Act, addresses the bank's requirements for safeguarding customer information, which includes transactional Web sites.[17] An institution's compliance with part 364, appendix B is assessed at every FDIC IT examination and specifically addressed in each Report of Examination.

After careful review of the OTS's transferred rule in part 390, subpart L, and the former OTS's stated rationale for the rule, the FDIC, as the appropriate Federal banking agency for State savings associations, proposes to rescind and remove the former OTS rule in its entirety. Rescinding part 390, subpart L also will serve to streamline the FDIC's rules and eliminate obsolete and superfluous regulations. If the proposal is adopted in final form, all IDIs regulated by the FDIC—including State savings associations—will be regulated in a uniform manner.

II. The Proposal

Regarding the functions of the former OTS that were transferred to the FDIC, section 316(b)(3) of the Dodd-Frank Act, 12 U.S.C. 5414(b)(3), in pertinent part, provides that the former OTS regulations will be enforceable by the FDIC until they are modified, terminated, set aside, or superseded in accordance with applicable law. After reviewing the Electronic Operations rule currently found in part 390, subpart L, the FDIC, as the appropriate Federal banking agency for State savings associations, proposes to rescind part 390, subpart L in its entirety. Rescinding part 390, subpart L will serve to streamline the FDIC's rules and eliminate obsolete and unnecessary regulations. It will also facilitate uniform supervision regarding notification requirements for electronic operation for all FDIC-supervised IDIs.Start Printed Page 42234

III. Request for Comments

The FDIC invites comments on all aspects of this proposed rulemaking, and specifically requests comments on the following:

(1) What impacts, positive or negative, can you foresee in the FDIC's proposal to rescind part 390, subpart L?

Written comments must be received by the FDIC no later than September 19, 2014.

IV. Regulatory Analysis and Procedure

A. The Paperwork Reduction Act

In accordance with the requirements of the Paperwork Reduction Act (“PRA”) of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (“OMB”) control number.

The Proposed Rule would rescind and remove from FDIC regulations part 390, subpart L because it is obsolete and unnecessary. In republishing this rule, the FDIC made only technical changes to existing OTS regulations, such as nomenclature changes. The FDIC does not have a regulatory notice requirement similar to the Electronic Operations rule that requires IDIs to notify the FDIC if they intend to set up transactional Web sites and, therefore, never established an information collection to account for the paperwork burden imposed on the public.

This Proposed Rule will neither create any paperwork information collection nor modify any of the FDIC's existing paperwork information collections. Accordingly, the FDIC need not submit any Information Collection Request to OMB.

B. The Regulatory Flexibility Act

The Regulatory Flexibility Act (“RFA”),[18] requires that, in connection with a notice of proposed rulemaking, an agency prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities (defined in regulations promulgated by the Small Business Administration to include banking organizations with total assets of less than or equal to $500 million).[19] However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities, and publishes its certification and a short explanatory statement in the Federal Register together with the rule. For the reasons provided below, the FDIC certifies that the Proposed Rule, if adopted in final form, would not have a significant economic impact on a substantial number of small entities. Accordingly, a regulatory flexibility analysis is not required. The Proposed Rule does not impose any additional burdens or requirements on small entities. Rather, because the Electronic Operations rule is being rescinded, the Proposed Rule reduces the paperwork and other regulatory burdens on State savings associations by eliminating the requirement to provide the FDIC with notice before establishing a transactional Web site.

As discussed in this notice of proposed rulemaking, part 390, subpart L was transferred from part 555, subpart B, which governed notification provisions for savings associations that intended to establish transactional Web sites. Part 555, subpart B became effective on January 1, 1999, and all savings associations were required to comply with it. Because it is obsolete and unnecessary, the FDIC proposes rescinding and removing part 390, subpart L. Therefore, today's Proposed Rule would have no significant economic impact on any State savings association.

C. Plain Language

Section 722 of the Gramm-Leach-Bliley Act, codified at 12 U.S.C. 4809, requires each Federal banking agency to use plain language in all of its proposed and final rules published after January 1, 2000. The FDIC invites comments on whether the Proposed Rule is clearly stated and effectively organized, and how the FDIC might make it easier to understand. For example:

  • Has the FDIC organized the material to suit your needs? If not, how could it present the rule more clearly?
  • Have we clearly stated the requirements of the rule? If not, how could the rule be more clearly stated?
  • Does the rule contain technical jargon that is not clear? If so, which language requires clarification?
  • Would a different format (grouping and order of sections, use of headings, paragraphing) make the regulation easier to understand? If so, what changes would make the regulation easier to understand?
  • What else could we do to make the regulation easier to understand?

D. The Economic Growth and Regulatory Paperwork Reduction Act

Under section 2222 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (“EGRPRA”), the FDIC is required to review all of its regulations, at least once every 10 years, in order to identify any outdated or otherwise unnecessary regulations imposed on insured institutions.[20] The FDIC completed the last comprehensive review of its regulations under EGRPRA in 2006 and is commencing the next decennial review. The action taken on this rule will be included as part of the EGRPRA review that is currently in progress.

Start List of Subjects

List of Subjects in 12 CFR Part 390

  • Banks and banking
  • Electronic operations
  • Savings associations
End List of Subjects

Authority and Issuance

For the reasons stated in the preamble, the Board of Directors of the FDIC proposes to amend 12 CFR part 390 as follows:

Start Part

PART 390—REGULATIONS TRANSFERRED FROM THE OFFICE OF THRIFT SUPERVISION

End Part Start Amendment Part

1. The authority citation for part 390 is revised to read as follows:

End Amendment Part Start Authority

Authority: 12 U.S.C. 1819.

End Authority

Subpart A also issued under 12 U.S.C. 1820.

Subpart B also issued under 12 U.S.C. 1818.

Subpart C also issued under 5 U.S.C. 504; 554-557; 12 U.S.C. 1464; 1467; 1468; 1817; 1818; 1820; 1829; 3349, 4717; 15 U.S.C. 78 l; 78o-5; 78u-2; 28 U.S.C. 2461 note; 31 U.S.C. 5321; 42 U.S.C. 4012a.

Subpart D also issued under 12 U.S.C. 1817; 1818; 1820; 15 U.S.C. 78 l.

Subpart E also issued under 12 U.S.C. 1813; 1831m; 15 U.S.C. 78.

Subpart F also issued under 5 U.S.C. 552; 559; 12 U.S.C. 2901 et seq.

Subpart G also issued under 12 U.S.C. 2810 et seq., 2901 et seq.; 15 U.S.C. 1691; 42 U.S.C. 1981, 1982, 3601-3619.

Subpart H also issued under 12 U.S.C. 1464; 1831y.

Subpart I also issued under 12 U.S.C. 1831x.

Subpart J also issued under 12 U.S.C. 1831p-1.

Subpart M also issued under 12 U.S.C. 1818.

Subpart N also issued under 12 U.S.C. 1821.

Subpart O also issued under 12 U.S.C. 1828.

Subpart P also issued under 12 U.S.C. 1470; 1831e; 1831n; 1831p-1; 3339.

Subpart Q also issued under 12 U.S.C. 1462; 1462a; 1463; 1464.

Subpart R also issued under 12 U.S.C. 1463; 1464; 1831m; 1831n; 1831p-1.

Subpart S also issued under 12 U.S.C. 1462; 1462a; 1463; 1464; 1468a; 1817; 1820; 1828; 1831e; 1831o; 1831p-1; 1881-1884; 3207; 3339; 15 U.S.C. 78b; 78 l; 78m; 78n; Start Printed Page 4223578p; 78q; 78w; 31 U.S.C. 5318; 42 U.S.C. 4106.

Subpart T also issued under 12 U.S.C. 1462a; 1463; 1464; 15 U.S.C. 78c; 78 l; 78m; 78n; 78w.

Subpart U also issued under 12 U.S.C. 1462a; 1463; 1464; 15 U.S.C. 78c; 78 l; 78m; 78n; 78p; 78w; 78d-1; 7241; 7242; 7243; 7244; 7261; 7264; 7265.

Subpart V also issued under 12 U.S.C. 3201-3208.

Subpart W also issued under 12 U.S.C. 1462a; 1463; 1464; 15 U.S.C. 78c; 78 l; 78m; 78n; 78p; 78w.

Subpart X also issued under 12 U.S.C. 1462; 1462a; 1463; 1464; 1828; 3331 et seq.

Subpart Y also issued under 12 U.S.C.1831o.

Subpart Z also issued under 12 U.S.C. 1462; 1462a; 1463; 1464; 1828 (note).

Subpart L—[Removed and Reserved]

Start Amendment Part

2. Remove and reserve subpart L, consisting of §§ 390.220 through 390.222.

End Amendment Part Start Signature

Dated at Washington, DC, this 15th day of July, 2014.

By order of the Board of Directors, Federal Deposit Insurance Corporation.

Robert E. Feldman,

Executive Secretary.

End Signature End Supplemental Information

Footnotes

1.  Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 111-203, 124 Stat. 1376 (2010).

Back to Citation

2.  76 FR 39247 (July 6, 2011).

Back to Citation

3.  76 FR 47652 (Aug. 5, 2011).

Back to Citation

4.  The OCC has an Electronic Activities rule that “identifies the criteria that the OCC uses to determine whether an electronic activity is authorized as part of, or incidental to, the business of banking under 12 U.S.C. 24 (Seventh) or other statutory authority.” 12 CFR 7.5000. However, this rule does not contain a prior notice requirement before establishing a transactional Web site.

Back to Citation

5.  63 FR 65673, 65678 (Nov. 30, 1998).

Back to Citation

6.  63 FR 43327, 43328 (Aug. 13, 1998). The OTS articulated concerns about “protecting the privacy of individuals” and “other operational and compliance risks presented by Internet banking” and noted its intent to “increase its monitoring of Web sites for compliance with disclosure laws and regulations.” Id.

Back to Citation

7.  63 FR 43327, 43329 (Aug. 13, 1998).

Back to Citation

8.  66 FR 31186, 31187 (June 11, 2001).

Back to Citation

9.  Information Technology Officer's Questionnaire, Part 1(h) (Dec. 2007).

Back to Citation

10.  Information Technology Officer's Questionnaire, Part 1(k) (Dec. 2007).

Back to Citation

11.  Information Technology Officer's Questionnaire, Part 5(b) (Dec. 2007).

Back to Citation

13.  12 U.S.C. 1867(c)(2). Although the BSCA notice does not require a prior notification like the Electronic Operations notice requirement, it is supplemented by other, ongoing and detailed sources of supervisory information.

Back to Citation

14.  See Bank Service Company Act, FDIC, FIL-49-99 (June 3, 1999).

Back to Citation

15.  63 FR 43327 (Aug. 13, 1998).

Back to Citation

16.  The guidance was first issued in 2005, see Authentication in an Internet Banking Environment, FDIC, FIL-103-2005 (Oct. 12, 2005), and was updated in 2011, see FFIEC Supplement to Authentication in an Internet Banking Environment, FDIC, FIL-50-2011 (June 29, 2011).

Back to Citation

17.  Interagency Guidelines Establishing Information Security Standards, 12 CFR Part 364, Appendix B.

Back to Citation

19.  78 FR 37409, 37411 (June 20, 2013).

Back to Citation

20.  Public Law 104-208, 110 Stat. 3009 (1996).

Back to Citation

[FR Doc. 2014-16975 Filed 7-18-14; 8:45 am]

BILLING CODE 6714-01-P