Federal Deposit Insurance Corporation.
Notice of proposed rulemaking.
In this notice of proposed rulemaking (“NPR” or “Proposed Rule”), the Federal Deposit Insurance Corporation (“FDIC”) proposes to rescind and remove a part from the Code of Federal Regulations entitled “Security Procedures” and to amend FDIC regulations to make the removed Office of Thrift Supervision (“OTS”) regulations applicable to state savings associations.
Comments must be received on or before January 3, 2017.
You may submit comments by any of the following methods:
FDIC Web site: http://www.fdic.gov/regulations/laws/federal/propose.html. Follow instructions for submitting comments on the agency Web site.
FDIC Email: Comments@fdic.gov. Include RIN #3064-AE47 on the subject line of the message.
FDIC Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street NW., Washington, DC 20429.
Hand Delivery to FDIC: Comments may be hand delivered to the guard station at the rear of the 550 17th Street building (located on F Street) on business days between 7 a.m. and 5 p.m.
Please include your name, affiliation, address, email address, and telephone number(s) in your comment. Where appropriate, comments should include a short Executive Summary consisting of no more than five single-spaced pages. All statements received, including attachments and other supporting materials, are part of the public record and are subject to public disclosure. You should submit only information that you wish to make publicly available.
Please note: All comments received will be posted generally without change to
including any personal information provided. Paper copies of public comments may be requested from the Public Information Center by telephone at 1-877-275-3342 or 1-703-562-2200.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Lauren Whitaker, Attorney, Consumer Compliance Section, Legal Division (202) 898-3872; Martha L. Ellett, Counsel, Consumer Compliance Section, Legal Division, (202) 898-6765; Karen Jones Currie, Senior Examination Specialist, Division of Risk Management and Supervision (202) 898-3981.
End Further Info
Start Supplemental Information
Part 391, subpart A was included in the regulations that were transferred to the FDIC from the Office of Thrift Supervision (“OTS”) on July 21, 2011, in connection with the implementation of applicable provisions of title III of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). With the exception of one provision (§ 391.5) the requirements for State savings associations in part 391, subpart A are substantively identical to the requirements in the FDIC's 12 CFR part 326 (“part 326”), which is entitled “Minimum Security Procedures.” The one exception directs savings associations to comply with appendix B to subpart B of Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) contained in FDIC rules at part 364, appendix B. The FDIC previously revised part 364 to make the Interagency Guidelines applicable to both state nonmember banks and state savings associations.
The FDIC proposes to rescind in its entirety part 391, subpart A and to modify the scope of part 326 to include state savings associations to conform to and reflect the scope of the FDIC's current supervisory responsibilities as the appropriate Federal banking agency. The FDIC also proposes to define “FDIC-supervised insured depository institution or institution” and “State savings association.” Upon removal of part 391, subpart A, the Security Procedures, regulations applicable for all insured depository institutions for which the FDIC has been designated the appropriate Federal banking agency will be found at 12 CFR part 326.
The Dodd-Frank Act
The Dodd-Frank Act 
provided for a substantial reorganization of the regulation of state and Federal savings associations and their holding companies. Beginning July 21, 2011, the transfer date established by section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the powers, duties, and functions formerly performed by the OTS were divided among the FDIC, as to state savings associations, the Office of the Comptroller of the Currency (“OCC”), as to Federal savings associations, and the Board of Governors of the Federal Reserve System (“FRB”), as to savings and loan holding companies. Section 316(b) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provides the manner of treatment for all orders, resolutions, determinations, regulations, and advisory materials that had been issued, made, prescribed, or allowed to become effective by the OTS. The section provides that if such materials were in effect on the day before the transfer date, they continue to be in effect and are enforceable by or against the appropriate successor agency until they are modified, terminated, set aside, or superseded in accordance with applicable law by such successor agency, by any court of competent jurisdiction, or by operation of law.
Start Printed Page 75754
Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(c), further directed the FDIC and the OCC to consult with one another and to publish a list of the continued OTS regulations that would be enforced by the FDIC and the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors approved a “List of OTS Regulations to be enforced by the OCC and the FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act.” This list was published by the FDIC and the OCC as a Joint Notice in the Federal Register on July 6, 2011.
Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking authority relating to both State and Federal savings associations, nothing in the Dodd-Frank Act affected the FDIC's existing authority to issue regulations under the FDI Act and other laws as the “appropriate Federal banking agency” or under similar statutory terminology. Section 312(c) of the Dodd-Frank Act amended the definition of “appropriate Federal banking agency” contained in section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State savings associations to the list of entities for which the FDIC is designated as the “appropriate Federal banking agency.” As a result, when the FDIC acts as the designated “appropriate Federal banking agency” (or under similar terminology) for state savings associations, as it does here, the FDIC is authorized to issue, modify and rescind regulations involving such associations, as well as for state nonmember banks and insured branches of foreign banks.
As noted, on June 14, 2011, pursuant to this authority, the FDIC's Board of Directors reissued and redesignated certain transferring regulations of the former OTS. These transferred OTS regulations were published as new FDIC regulations in the Federal Register on August 5, 2011.
When it republished the transferred OTS regulations as new FDIC regulations, the FDIC specifically noted that its staff would evaluate the transferred OTS rules and might later recommend incorporating the transferred OTS regulations into other FDIC rules, amending them, or rescinding them, as appropriate.
One of the OTS rules transferred to the FDIC governed OTS oversight of minimum security devices and procedures for state savings associations. The OTS rule, formerly found at 12 CFR part 568, was transferred to the FDIC with only nominal changes and is now found in the FDIC's rules at part 391, subpart A, entitled “Security Procedures.” Before the transfer of the OTS rules and continuing today, the FDIC's rules contained part 326, subpart A entitled “Minimum Security Procedures,” a rule governing FDIC oversight of security devices and procedures to discourage burglaries, robberies and larcenies and assist law enforcement in the identification and apprehension of those who commit such crimes with respect to insured depository institutions for which the FDIC has been designated the appropriate Federal banking agency. One provision in part 391, subpart A (391.5) is not contained in part 326, subpart A. It directs savings associations and certain subsidiaries to comply with the Interagency Guidelines Establishing Information Security Standards which were adopted jointly by the OTS and the FDIC and other banking agencies and are contained in appendix B to part 364 in FDIC regulations.
After careful review and comparison of part 391, subpart A, and part 326, the FDIC proposes to rescind part 391, subpart A, because, as discussed below, it is substantively redundant to existing part 326 and simultaneously proposes to make technical conforming edits to the FDIC's existing rule.
FDIC's Existing 12 CFR Part 326 and Former OTS's Part 568 (Transferred to FDIC's Part 391, Subpart A)
Section 3 of the Bank Protection Act of 1968 directed the appropriate federal banking agencies and the OTS' predecessor, the Federal Home Loan Bank Board (“FHLBB”) to establish minimum security standards for banks and savings associations, at reasonable cost, to serve as a deterrent to robberies, burglaries, and larcenies and to assist law enforcement in identifying and prosecuting persons who commit such acts.
In the initial rulemakings, the agencies consulted and cooperated with each other to promote a goal of uniformity where practicable. The initial minimum security rules were simultaneously issued in January 1969 and were substantively the same.
In 1991, the minimum security rules were substantially revised to reduce unnecessary specificity, remove obsolete requirements and place greater responsibility on the boards of directors of insured financial institutions for establishing and ensuring the implementation and maintenance of security programs and procedures. The former FHLBB rules at 12 CFR part 563a were redesignated as 12 CFR part 568 by the OTS. The OTS rules remained substantively the same as the FDIC's rules in part 326, subpart A.
In 2001, the FDIC and other federal banking agencies and the OTS issued Interagency Guidelines for Safeguarding Customer Information pursuant to section 501 of the Gramm Leach Bliley Act (“Protection of Nonpublic Personal Information”).
At the same time, the OTS also added a provision at the end of its security procedures rules at section 568.5 directing saving associations and certain subsidiaries to comply with appendix B to the Interagency Guidelines. In a preamble footnote, the OTS indicated that the reason for the additional provision to its minimum security rules was “[b]ecause information security guidelines are similar to physical security procedures.” 
In 2004, following enactment of the Fair and Accurate Credit Transactions Act (FACT Act), the OTS, FDIC and other banking agencies revised the Interagency Guidelines for Safeguarding Customer Information and renamed them the Interagency Guidelines for Establishing Information Security Standards. The Interagency Guidelines were located in the FDIC rules at part 364. In 2015, the FDIC amended part 364 to, among other reasons, make it applicable to State savings associations.
After careful comparison of the FDIC's part 326, subpart A with the transferred OTS rule in part 391, subpart A, the FDIC has concluded that the transferred OTS rules governing minimum security procedures are substantively redundant. Based on the foregoing, the FDIC proposes to rescind and remove from the Code of Federal Regulations the transferred OTS rules located at part 391, subpart A, and to make technical amendments to part 326, subpart A to incorporate State savings associations.
II. The Proposal
Regarding the functions of the former OTS that were transferred to the FDIC, section 316(b)(3) of the Dodd-Frank Act, 12 U.S.C. 5414(b)(3), in pertinent part, provides that the former OTS's regulations will be enforceable by the FDIC until they are modified, terminated, set aside, or superseded in accordance with applicable law. After reviewing the rules currently found in part 391, subpart A, the FDIC proposes Start Printed Page 75755(1) to rescind part 391, subpart A, in its entirety; (2) to modify to the scope of part 326, subpart A to include State savings associations and their subsidiaries to conform to and reflect the scope of FDIC's current supervisory responsibilities as the appropriate Federal banking agency for State savings associations; (3) delete the definition of “insured nonmember bank” and replace it with a definition of “FDIC-supervised insured depository institution or institution,” which means “any state nonmember insured bank or state savings association for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q));” (4) add a new subsection (i), which would define “state savings association” as having “the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act (12 U.S.C. 1813(b)(3));” and (5) make conforming technical edits throughout, including replacing the term “FDIC-supervised insured depository institution” or “institution” in place of “bank” throughout the rule where necessary.
If the proposal is finalized, oversight of minimum security procedures in part 326, subpart A would apply to all FDIC-supervised institutions, including state savings associations, and part 391, subpart A, would be removed because it is largely redundant of the rules found in part 326. Rescinding part 391, subpart A, will serve to streamline the FDIC's rules and eliminate unnecessary regulations.
III. Request for Comments
The FDIC invites comments on all aspects of this proposed rulemaking, and specifically requests comments on the following:
(1.) What impacts, positive or negative, can you foresee in the FDIC's proposal to rescind part 391, subpart A?
Written comments must be received by the FDIC no later than January 3, 2017.
IV. Regulatory Analysis and Procedure
A. The Paperwork Reduction Act
In accordance with the requirements of the Paperwork Reduction Act (“PRA”) of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (“OMB”) control number.
The proposed rule would rescind and remove from FDIC regulations part 391, subpart A from the FDIC regulations. This rule was transferred with only nominal changes to the FDIC from the OTS when the OTS was abolished by title III of the Dodd-Frank Act. Part 391, subpart A, is substantively similar to the FDIC's existing part 326, subpart A regarding oversight of minimum security procedures for depository institutions with the exception of one provision at the end of Part 391, Subpart A which directs savings associations to comply with Interagency Guidelines which are located in appendix B to part 364. In 2015, the FDIC proposed and finalized revisions to part 364 that made part 364, including the Interagency Guidelines in Appendix B, applicable to State savings associations as well as State nonmember banks.
The proposed rule also would (1) amend part 326, subpart A to include state savings associations and their subsidiaries within its scope; (2) define “FDIC-supervised insured depository institution or institution” and “state savings association;” and (3) make conforming technical edits throughout. These measures clarify that state savings associations, as well as state nonmember banks are subject to part 326, subpart A. With respect to part 326, subpart A, the Proposed Rule does not revise any existing, or create any new information collection pursuant to the PRA. Consequently, no submission will be made to the Office of Management and Budget for review. The FDIC requests comment on its conclusion that this aspect of the NPR does not create a new or revise an existing information collection.
B. The Regulatory Flexibility Act
The Regulatory Flexibility Act requires that, in connection with a notice of proposed rulemaking, an agency prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities (defined in regulations promulgated by the Small Business Administration to include banking organizations with total assets of less than or equal to $550 million).
However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities, and publishes its certification and a short explanatory Statement in the Federal Register together with the proposed rule. For the reasons provided below, the FDIC certifies that the Proposed Rule would not have a significant economic impact on a substantial number of small entities.
As discussed in this notice of proposed rulemaking, part 391, subpart A, was transferred from OTS part 568, which governed minimum security procedures for depository institutions. The initial minimum security rules, though issued separately by the agencies, were all published in January 1969. The OTS rule, part 568 had been in effect since 1991 and all State savings associations were required to comply with it. Because it is substantially the same as existing part 326, subpart A of the FDIC's rules and therefore redundant, the FDIC proposes rescinding and removing the transferred regulation now located in part 391, subpart A. As a result, all FDIC-supervised institutions—including state savings associations and their subsidiaries—would be required to comply with the minimum security procedures in part 326, subpart A. Because all state savings associations and their subsidiaries have been required to comply with nearly identical security procedures rules since 1969, the Proposed Rule would not place additional requirements or burdens on any state savings association irrespective of its size. Therefore, the Proposed Rule would not have a significant impact on a substantial number of small entities.
C. Plain Language
Section 722 of the Gramm-Leach- Bliley Act, codified at 12 U.S.C. 4809, requires each Federal banking agency to use plain language in all of its proposed and final rules published after January 1, 2000. The FDIC invites comments on whether the Proposed Rule is clearly stated and effectively organized, and how the FDIC might make it easier to understand. For example:
- Has the FDIC organized the material to suit your needs? If not, how could it present the rule more clearly?
- Have we clearly stated the requirements of the rule? If not, how could the rule be more clearly stated?
- Does the rule contain technical jargon that is not clear? If so, which language requires clarification?
- Would a different format (grouping and order of sections, use of headings, paragraphing) make the regulation easier to understand? If so, what changes would make the regulation easier to understand?
- What else could we do to make the regulation easier to understand?Start Printed Page 75756
D. The Economic Growth and Regulatory Paperwork Reduction Act
Under section 2222 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (“EGRPRA”), the FDIC is required to review all of its regulations, at least once every 10 years, in order to identify any outdated or otherwise unnecessary regulations imposed on insured institutions.
The FDIC completed the last comprehensive review of its regulations under EGRPRA in 2006 and is commencing the next decennial review. The action taken on this rule will be included as part of the EGRPRA review that is currently in progress. As part of that review, the FDIC invites comments concerning whether the Proposed Rule would impose any outdated or unnecessary regulatory requirements on insured depository institutions. If you provide such comments, please be specific and provide alternatives whenever appropriate.
Start List of Subjects
List of Subjects
End List of Subjects
- Minimum security procedures
- Savings associations
Authority and Issuance
For the reasons stated in the preamble, the Board of Directors of the Federal Deposit Insurance Corporation proposes to amend 12 CFR part 326 and 12 CFR part 391 as set forth below:
PART 326—MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY ACT 
Start Amendment Part
1. The authority citation for part 326 continues to read as follows: End Amendment Part
Start Amendment Part
2. Revise subpart A to read as follows: End Amendment Part
Subpart A—Minimum Security Procedures
- Authority, purpose, and scope.
- Designation of security officer.
- Security program.
Authority, purpose, and scope.
(a) This part is issued by the Federal Deposit Insurance Corporation (“FDIC”) pursuant to section 3 of the Bank Protection Act of 1968 (12 U.S.C. 1882). It applies to FDIC-supervised insured depository institutions. It requires each institution to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies and to assist in identifying and apprehending persons who commit such acts.
(b) It is the responsibility of the institution's board of directors to comply with this part and ensure that a written security program for the institution's main office and branches is developed and implemented.
For the purposes of this part—
(a) The term FDIC-supervised insured depository institution or institution means any insured depository institution for which the Federal Deposit Insurance Corporation is the appropriate Federal banking agency pursuant to section 3(q)(2) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(q)(2).
(b) The term banking office includes any branch of an institution and, in the case of an FDIC-supervised insured depository institution, it includes the main office of that institution.
(c) The term branch for an institution chartered under the laws of any state of the United States includes any branch institution, branch office, branch agency, additional office, or any branch place of business located in any state or territory of the United States, District of Columbia, Puerto Rico, Guam, American Samoa, the Trust Territory of the Pacific Islands, the Northern Mariana Islands or the Virgin Islands at which deposits are received or checks paid or money lent. In the case of a foreign banks defined in§ 347.202 of this chapter, the term branch has the meaning given in § 347.202 of this chapter.
(d) The term state savings association has the same meaning as in section (3)(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).
Designation of security officer.
Upon the issuance of Federal deposit insurance, the board of directors of each institution shall designate a security officer who shall have the authority, subject to the approval of the board of directors, to develop, within a reasonable time, but no later than 180 days, and to administer a written security program for each banking office.
(a) Contents of security program. The security program shall:
(1) Establish procedures for opening and closing for business and for the safekeeping of all currency, negotiable securities, and similar valuables at all times;
(2) Establish procedures that will assist in identifying persons committing crimes against the institution and that will preserve evidence that may aid in their identification and prosecution; such procedures may include, but are not limited to:
(i) Retaining a record of any robbery, burglary, or larceny committed against the institution;
(ii) Maintaining a camera that records activity in the banking office; and
(iii) Using identification devices, such as prerecorded serial-numbered bills, or chemical and electronic devices;
(3) Provide for initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a robbery, burglar or larceny; and
(4) Provide for selecting, testing, operating and maintaining appropriate security devices, as specified in paragraph (b) of this section.
(b) Security devices. Each institution shall have, at a minimum, the following security devices:
(1) A means of protecting cash or other liquid assets, such as a vault, safe, or other secure space;
(2) A lighting system for illuminating, during the hours of darkness, the area around the vault, if the vault is visible from outside the banking office;
(3) An alarm system or other appropriate device for promptly notifying the nearest responsible law enforcement officers of an attempted or perpetrated robbery or burglary;
(4) Tamper-resistant locks on exterior doors and exterior windows that may be opened; and
(5) Such other devices as the security officer determines to be appropriate, taking into consideration:
(i) The incidence of crimes against financial institutions in the area;
(ii) The amount of currency or other valuables exposed to robbery, burglary, and larceny;
(iii) The distance of the banking office from the nearest responsible law enforcement officers;
(iv) The cost of the security devices;
(v) Other security measures in effect at the banking office; and
(vi) The physical characteristics of the structure of the banking office and its surroundings.
Start Printed Page 75757
The security officer for each institution shall report at least annually to the institution's board of directors on the implementation, administration, and effectiveness of the security program.
PART 391—REGULATIONS TRANSFERRED FROM THE OFFICE OF THRIFT SUPERVISION
Subpart A—Security Procedures
Start Amendment Part
3. The authority citation for part 391 is revised to read as follows: End Amendment Part
Subpart A—[Removed and Reserved]
Start Amendment Part
4. Remove and reserve subpart A consisting of §§ 391.1 through 391.5. End Amendment Part
End Supplemental Information
Dated at Washington, DC, this 19th day of October, 2016.
By order of the Board of Directors.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
[FR Doc. 2016-26062 Filed 10-31-16; 8:45 am]
BILLING CODE 6714-01-P