The Federal Deposit Insurance Corporation’s Progress in Implementing the Gramm-Leach-Bliley
Act, Title V -- Privacy Provisions

September 26, 2003
Audit Report No. 03-044

FDIC
Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: September 26, 2003

MEMORANDUM TO: Michael J. Zamorski, Director, Division of Supervision and Consumer Protection

FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits

SUBJECT: The Federal Deposit Insurance Corporation’s Progress in Implementing the Gramm-Leach-Bliley Act, Title V -- Privacy Provisions (Report No. 03-044)

This report presents the results of our evaluation of the Federal Deposit Insurance Corporation’s (FDIC) implementation of the Gramm-Leach-Bliley Act of 1999 (GLBA), Title V -- Privacy provisions. (Note: Pub. L. No. 106-102, codified to titles 12 and 15, United States Code (U.S.C.). The privacy provisions of the Act are codified at 15. U.S.C., §§ 6801 – 6827 and 1681s.) Congress enacted several privacy provisions in the GLBA in response to concerns about the growing inability of consumers to control access to their personal financial information, namely, GLBA, Title V -- Privacy, Subtitles A and B. These privacy provisions created new requirements for various federal and state regulatory agencies and financial institutions. Congress continues to emphasize the importance of consumer privacy as demonstrated by recent hearings covering the topics of identity theft and obligations regarding disclosures of personal information. (Note: U.S. Senate Committee on Banking, Housing, and Urban Affairs conducted hearings in June 2003: (1) “The Growing Problem of Identity Theft and Its Relationship to the Fair Credit Reporting Act” (June 19, 2003); and (2) “Affiliate Sharing Practices and Their Relationship to the Fair Credit Reporting Act” (June 26, 2003).)

The objective of our evaluation was to determine whether the FDIC has made reasonable progress in implementing the GLBA, Title V privacy provisions. Specifically, we reviewed actions that the FDIC’s Division of Supervision and Consumer Protection (DSC) has taken to implement the Title V provisions of GLBA. (Note: The FDIC’s DSC, in conjunction with other federal and state regulators, examines financial institutions to ensure they are conducting business in compliance with consumer protection rules and in a way that minimizes risk to their customers and to the deposit insurance funds. There are five categories of examinations: Safety and Soundness, Community Reinvestment Act, Compliance, Information Technology, and Trust.) This evaluation addresses both Subtitle A –Disclosure of Nonpublic Personal Information, and Subtitle B – Fraudulent Access to Financial Information. (Note: Subtitle A defines nonpublic personal information as personally identifiable financial information that an institution obtains under any of the following three sets of circumstances: (1) the consumer (see definition in the note that follows the next sentence) provides the information to the institution to obtain a financial product or service; (2) the information is about the consumer and results from any transaction involving a financial product or service between the institution and the consumer; or (3) the information is about the consumer and is otherwise obtained in connection with providing a financial product or service to that consumer.) For purposes of this report, we generally refer to topics of “safeguarding customer information” and “privacy notice requirements” rather than the specific section numbers within the GLBA. (Note: Subtitle A uses the terms “customer” and “consumer” in different sections. “Customer” is not statutorily defined, although “customer relationship” is described in a definition which, in part, refers to regulations which the financial banking regulators were to draft. In those regulations, the federal banking regulators defined “customer” to mean a “consumer” who has established a “customer relationship” with the financial institution. “Consumer” is defined in GLBA Section 509 as an individual (or legal representative) who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes. “Customer relationship” is defined in the regulations as a continuing relationship between a consumer and the financial institution which provided such financial products or services. As a general rule, in this report, we will use “consumer” unless, in the particular context, “customer” would be more appropriate.) The DSC reviews financial institutions’ compliance with: (1) GLBA provisions on safeguarding customer information as part of DSC’s information technology (IT) examinations and (2) GLBA privacy notice requirements through compliance examinations.

Details of our objective, scope, and methodology are included as Appendix I of this report. Appendix II lists acronyms used in this report.

BACKGROUND

In addition to reforming the financial services industry, the GLBA addressed concerns relating to consumer financial privacy. Title V of the GLBA established major privacy provisions under two subtitles – A and B. Subtitle A provides a mechanism to protect the confidentiality of a consumer’s nonpublic personal information. Subtitle B prohibits “pretext calling,” which is a deceptive practice used to obtain information on the financial assets of consumers. Criminal penalties and regulatory and administrative enforcement mechanisms are established to help prevent this practice. Appendix III of this report provides a summary “crosswalk” of GLBA Title V provisions to FDIC rules and regulations and DSC examination procedures.

Subtitle A of GLBA Title V

In Subtitle A of GLBA Title V, Congress established requirements for financial institutions and regulatory agencies to protect the privacy of nonpublic personal information obtained by financial institutions.

Financial Institution Responsibilities: Section 501(a) of Subtitle A, states: “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Section 502 applies this policy by generally prohibiting financial institutions from disclosing consumers’ nonpublic personal information to any entity that is not an affiliate of, or related by common ownership or control to, the financial institution (nonaffiliated third party), unless the consumer is given an opportunity to opt out of such disclosure. (Note: Under Subtitle A, the term “affiliate” means any company that controls, is controlled by, or is under common control with another company. "Opt out" means a consumer’s direction to a financial institution that it not disclose his or her nonpublic personal information to a nonaffiliated third-party.) Such an opportunity is provided under Section 503, which states that financial institutions must provide consumers with privacy notices that include an explanation of the institution’s policies and practices for disclosing and protecting the privacy of nonpublic personal information.

Regulatory Agency Responsibilities: Subtitle A requires various federal and state regulators to establish standards for financial institutions relating to the safeguarding of customer information (Section 501(b)) and to implement those standards, in the same manner, to the extent practicable, “as standards prescribed pursuant to section 39(a) of the Federal Deposit Insurance Act are implemented pursuant to such sections” (Sections 505(a) and 505(b)). (Note: The federal regulators responsible for issuing Subtitle A regulations are the Board of Governors of the Federal Reserve System, the FDIC, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, Secretary of the Department of the Treasury, Commodity Futures Trading Commission, and the Securities and Exchange Commission. Under Section 505(a), federal banking regulators are to enforce the provisions of Subtitle A and related regulations in accordance with Section 8 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. § 1818), which contains such enforcement mechanisms as a cease and desist order and civil money penalties. Other statutory enforcement provisions apply in the case of the other federal and state regulators. Under Section 505(b), federal banking regulators are to implement Section 501(b) standards in the same manner, to the extent practicable, as standards prescribed pursuant to Section 39(a) of the FDI Act (12 U.S.C. §1831 p-1(a)).) In addition, the federal regulators are required to prescribe regulations (Section 504) governing the disclosure of customer information to nonaffiliated third parties.

Subtitle B of GLBA Title V

Subtitle B of GLBA Title V makes it a federal crime to obtain customer information through fraudulent means (Section 521). It is also a violation of Section 521 “for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person,” customer information through fraudulent means or to solicit someone to obtain such information through fraudulent means. Subtitle B provides for both criminal penalties and civil administrative remedies through the Federal Trade Commission (FTC) and enforcement by federal banking regulators. (Note: For this report, federal banking regulators are the Board of Governors of the Federal Reserve System, FDIC, Office of the Comptroller of the Currency, and the Office of Thrift Supervision.) Subtitle B places the primary responsibility for enforcing the subtitle’s provisions with the FTC. However, with respect to financial institutions, the federal banking regulators are required to enforce Subtitle B provisions in accordance with Section 8 of the Federal Deposit Insurance (FDI) Act and may rely on other statutory enforcement authorities the federal banking regulators possess.

Section 525 of Subtitle B requires each federal banking regulator to “review regulations and guidelines applicable to financial institutions under their respective jurisdictions” and to “prescribe such revisions to such regulations and guidelines as may be necessary to ensure that such financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect” the unauthorized disclosure of customer financial information by false pretenses. Pretext calling is one common method used to fraudulently obtain a customer’s financial information from a financial institution. Pretext calling can lead to “identity theft” -- the fraudulent use of an individual’s personal identifying information to commit a financial crime.

Other Sections of GLBA Title V

GLBA Title V, Section 506, Protection of Fair Credit Reporting Act (FCRA), requires the federal banking regulators to jointly prescribe FCRA regulations related to affiliate information-sharing provisions, as necessary, with respect to financial institutions. The affiliate information-sharing provisions have not yet been fully implemented, but are being addressed through interagency proposed regulations still in process.

GLBA Title V requires that (1) the Secretary of the Treasury, in conjunction with federal banking regulators and the FTC, prepare a report to the Congress by January 1, 2002, regarding information-sharing practices among financial institutions and their affiliates; and (2) the General Accounting Office (GAO) consult with the federal banking regulators in preparing a report on the efficacy of GLBA’s remedies for pretext calling. (Note: As of August 29, 2003, the report to be prepared by the Secretary of the Treasury noted in item 1 in the previous sentence had not been finalized. The GAO report noted in item 2 is on Financial Privacy and is entitled, Too Soon to Assess the Privacy Provisions in the Gramm-Leach-Bliley Act of 1999, dated May 2001 (GAO-01-617).)

FDIC Rules and Regulations

FDIC Rules and Regulations, Parts 364, 332, and 308, implement the requirements of the applicable sections of GLBA Title V, as follows (Note: FDIC Rules and Regulations, Parts 364, 332, and 308 are codified to title 12 of the Code of Federal Regulations.):

Part 364 – Standards for Safety and Soundness: Appendix B to Part 364, Interagency Guidelines Establishing Standards for Safeguarding Customer Information, sets forth standards pursuant to Section 39 of the FDI Act and GLBA Subtitle A’s customer information safeguarding and enforcement provisions. These guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

Part 332 – Privacy of Consumer Financial Information: Part 332 governs financial institutions’ treatment of nonpublic personal information about consumers and (1) requires a financial institution to provide notice to customers about its privacy policies and practices; (2) describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and (3) provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to exceptions. (Note: Part 332 applies to financial institutions insured by the FDIC (other than members of the Federal Reserve System) for which the FDIC has primary supervisory authority, insured state branches of foreign banks, and certain subsidiaries of such entities.)

Part 308, Subpart R – Submission and Review of Safety and Soundness Compliance Plans and Issuance of Orders to Correct Safety and Soundness Deficiencies: The FDIC may, based upon an examination, inspection, or any other information that becomes available to the FDIC, determine that a financial institution has failed to satisfy the safety and soundness standards set out in Part 364 and in Appendix B to Part 364. If the FDIC determines that a financial institution has failed to satisfy any such standard, the FDIC may request the submission of a compliance plan and may take appropriate enforcement actions if the financial institution fails to submit an acceptable plan or fails, in any material respect, to implement a plan accepted by the FDIC.

DSC’s Approach for Examining Standards for Safeguarding Customer Information

The DSC includes the standards for safeguarding customer information in its examination procedures. Since 2001, the DSC has applied the following procedures:

  • The federal banking regulators developed examination procedures in 2001 to assist examiners in evaluating a financial institution’s compliance with customer information safeguards established by the federal banking regulators and to ensure that the established standards are applied consistently. The FDIC advised its financial institutions of these procedures through Financial Institution Letter FIL-68-2001, Examination Procedures to Evaluate Customer Information Safeguards, dated August 24, 2001. The DSC distributed the examination procedures to its examiners through a Regional Directors Memorandum (RDM) entitled, Examination Procedures to Evaluate Customer Information Safeguards, dated August 28, 2001, Transmittal Number 2001-032 (RDM 2001-032). The DSC instructed examiners to assess compliance with customer information safeguards during examinations started after July 1, 2001.

  • Examiners could also use the procedures contained in an Examination Documentation (ED) Module, “GLBA 501(b) – Safeguarding Customer Information.” The most recent version of this ED Module is dated April 2002. The FDIC and the Federal Reserve Board developed the ED Module to provide examiners with a tool to focus on risk management and to establish an appropriate examination scope. RDM 2001-039, entitled, Guidelines for Examination Workpapers and Discretionary Use of Examination Documentation Modules and dated September 25, 2001, provided for discretionary use of the ED Module.

  • On October 9, 2002, the FDIC issued FIL-118-2002, New Examination Procedures for Assessing Information Technology Risk, to advise financial institutions of DSC’s new program for IT risk at FDIC-supervised financial institutions. The FDIC’s program incorporated a new philosophy for categorizing financial institutions’ use of technology and consequential exposure to technology risk, along with updated and more risk-focused IT examination procedures. In FIL-118-2002, the FDIC identified and included two new work programs, IT MERIT (Maximum Efficiency, Risk-Focused, Institution-Targeted) Procedures and an IT General Work Program, and provided the following descriptions.

    • IT-MERIT examination procedures will be used by examiners conducting technology risk reviews at FDIC-supervised financial institutions with the least technology risk. These simplified procedures will greatly streamline the review process for financial institutions in this group.

    • The IT General Work Program was developed to improve efficiencies by consolidating several existing technology-related work programs into a single work program and eliminating redundant review areas. This work program will be used by examiners conducting IT risk reviews at FDIC-supervised financial institutions with low to moderate technology risk. The work program replaces several previously issued work programs, such as the Electronic Banking Work program, Examination Procedures to Evaluate Customer Information Safeguards, the Community Bank Work Program, and others.

The DSC issued RDM 2002-043, entitled, Information Technology Maximum Efficiency, Risk-Focused, Institution Targeted (IT-MERIT); and IT General Work Program Guidelines, dated September 30, 2002, to implement the new examination guidelines and procedures. RDM 2002 043 states that to address the different levels of risk posed by financial institutions through their use of IT, four new categories were developed to describe an institution’s technology risk profile: Type I, Type II, Type III, and Type IV financial institutions. Table 1 shows the examination procedures to be used for each type.

Table 1: Technology Types and IT Examination Procedures

Category Description IT Examination Procedures
Type I Limited networking and E-Banking activities; No in-house programming or core processing; Minimal external threats; Primary risks are centered on the core banking system or vendor management; and No history of less than satisfactory examination ratings. IT-MERIT Procedures
Type II Limited networking and E-Banking activities; Usually do not conduct in-house programming or servicing of other financial institutions; Minimal external threats; Primary risks are centered on the core banking system or vendor management; and a History of less than satisfactory examination ratings. IT General Work Program
Type III Fully integrated networking within operations; Increased external threats from E-Banking activities and Internet connections; and Increased operational from limited programming activities or servicing responsibilities. IT General Work Program, supplemented with Federal Financial Institutions Examination Council (FFIEC) Work Programs as needed.
Type IV Relies upon networks and other communication systems as a critical element of operations; Networking among business client and partners is common; Internet connectivity may be relied upon as a critical communications medium; Risk of compromise or access to critical systems from external sources is present; and Complexity of technology increases system administration and security risks. FFIEC Work Programs

Note on Table 1: The FFIEC, established in March 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (FIRICA – Pub. L. No. 95-630, codified to title 12. U.S.C. 3301 et seq.), is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the FDIC, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision and to make recommendations to promote uniformity in the supervision of financial institutions.

Source: RDM 2002-043 dated September 30, 2002.

DSC’s Approach for Examining Privacy Notice Requirements

The FDIC and other federal banking regulators developed and approved examination procedures to review supervised financial institutions for compliance with the joint regulation on Privacy of Consumer Financial Information. On May 17, 2001, the FDIC issued to financial institutions FIL 46-2001, FFIEC Compliance Examination Procedures for Part 332 – “Privacy of Consumer Financial Information,” which provided the examination procedures to be used after July 1, 2001. FDIC’s Division of Compliance and Consumer Affairs (DCA) distributed the interagency examination procedures to all DCA staff through a memorandum entitled, Interagency Examination Procedures for Reviewing Compliance with Part 332 – Privacy of Consumer Financial Information (Transmittal No. DCA 01-002), dated May 18, 2001. (Note: The FDIC merged the Division of Supervision and DCA into DSC effective July 1, 2002.)

In June 2003, the DSC advised financial institutions of its revised compliance examination process through FIL-52-2003, Compliance Examination Procedures. Under the new approach, FDIC compliance examinations combine the risk-based examination process with an in-depth evaluation of a financial institution’s compliance management system.

RESULTS OF EVALUATION

Overall, the FDIC has made reasonable progress in implementing GLBA Title V provisions related to safeguarding customer information and privacy notice requirements and modest progress in implementing provisions related to fraudulent access to financial information. Our assessment of FDIC’s progress is based on an analysis of the Corporation’s and DSC’s efforts to establish regulations, issue implementing guidelines to financial institutions, and develop and implement procedures to examine financial institutions’ compliance with GLBA Title V provisions.

Specifically, the FDIC established rules and regulations that appropriately address the applicable provisions related to safeguarding customer information and privacy notice requirements and established adequate guidance and examination procedures to help ensure that financial institutions under its jurisdiction meet the safeguarding and privacy notice requirements. The DSC assesses a financial institution’s compliance (1) with standards for safeguarding customer information through IT examinations and (2) with privacy notice requirements through compliance examinations. The GLBA Title V provisions related to FCRA-affiliate information sharing have not yet been fully implemented, but are being addressed through proposed interagency regulations still in process.

Regarding GLBA Title V provisions related to fraudulent access to financial information, the FDIC issued guidance on identity theft and pretext calling to financial institutions, but DSC has not established specific examination procedures to determine financial institutions’ compliance with the guidance. (See Finding A: FDIC’s Progress in Implementing GLBA Title V -- Privacy Provisions.)

The FDIC has taken actions to implement the GLBA Title V provisions related to safeguarding customer information and privacy notice requirements. However, we noted that several management actions are needed related to DSC’s IT examination process.

  • Establish examination procedures for ensuring that financial institutions have controls in place to prevent unauthorized disclosure of customer financial information (Subtitle B). Although the FDIC has issued guidance on identity theft and pretext calling to inform financial institutions about developments in these two areas of consumer bank fraud, DSC’s IT examination procedures do not include steps to specifically assess how banks protect customer information from unauthorized disclosure.

  • Ensure consistency in assessing and reporting a financial institution’s level of compliance with standards for safeguarding customer information (Subtitle A). DSC’s IT General Work Program does not always specifically identify those procedures that are appropriate and necessary for assessing a financial institution’s compliance with these standards. If examination procedures do not specifically reference the safeguarding standards under review, the FDIC is at risk that key requirements may not be considered in assessing a financial institution’s compliance with the standards.

    Further, DSC has multiple guidelines at the headquarters and regional level that provide differing instructions to examiners for reporting a financial institution’s compliance with standards for safeguarding customer information. These guidelines vary from an examiner’s use of exception reporting to combined reporting of noncompliance or level of compliance. National DSC guidance on reporting compliance with the standards is needed to promote consistency among DSC’s regional offices. (See Finding B: DSC’s Examination Procedures for GLBA Title V -- Privacy.)

FINDINGS AND RECOMMENDATIONS

FINDING A: FDIC’S PROGRESS IN IMPLEMENTING GLBA TITLE V -- PRIVACY PROVISIONS

The FDIC made reasonable progress in implementing GLBA Title V Subtitle A’s provisions, as demonstrated in the regulations, FILs, and other guidance the Corporation has issued to financial institutions it supervises. In addition, the FDIC participated in interagency efforts and jointly issued standards for safeguarding customer information, examination procedures to assess compliance with those standards, and examination procedures to review compliance with privacy notice requirements. However, the FDIC’s progress in implementing Subtitle B’s provisions is modest. The Corporation issued guidance to its supervised financial institutions on identity theft and pretext calling which referenced published guidelines on the safeguards financial institutions can put into place to help prevent problems caused by pretext calling. However, as discussed in Finding B, DSC has not established specific examination procedures to review a financial institution’s compliance with the guidelines on pretext calling.

FDIC Rules and Regulations and FDIC Procedures that Address GLBA Title V Provisions

The FDIC has issued rules and regulations, guidance, and procedures that address most of the GLBA Title V provisions. Table 2 illustrates FDIC’s activities for major GLBA Title V provisions and shows that, as discussed in Finding B, DSC has not specifically identified examination procedures related to Subtitle B. Appendix III lists all GLBA Title V privacy provisions.

Table 2a: FDIC Rules, Guidance, and Implementing Procedures for Major GLBA Title V Privacy Provisions (Subtitle A. – Disclosure of Nonpublic Personal Information)

Title V Federal Register FDIC Rules and Regulations Financial Institution Letters DSC Examination Procedures
§501(b). Financial Institutions Safeguards and §505(b). Enforcement of Section 501 – Requires each “agency” to establish and implement standards relating to administrative, technical, and physical safeguards to protect nonpublic personal information. Vol. 66, 8616 - 8641 (February 1, 2001) Final Rule – Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness. Part 364, Standards for Safety and Soundness, Appendix B. Part 308, Subpart R, Submission and Review of Safety and Soundness Compliance Plans and Issuance of Orders to Correct Safety and Soundness Deficiencies.
  1. FIL-22-2001, March 14, 2001.
  2. FIL-68-2001, August 24, 2001.
  3. FIL-118-2002, October 9, 2002.
  4. FIL-11-2003, February 12, 2003.
  1. Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information.
  2. IT Examination Procedures:
    • IT Merit.
    • General Work Program.
    • FFIEC.
§502 – 504. The “agencies” shall consult and coordinate in developing regulations necessary to carry out purpose of Subtitle A. Vol. 65, 35162 - 35236 (June 1, 2000) Final Rule - Privacy of Consumer Financial Information. Part 332, Privacy of Consumer Financial Information.
  1. FIL-34-2000, July 5, 2000.
  2. FIL-3-2001, January 22, 2001.
  3. FIL-46-2001, May 17, 2001.
  4. FIL-73-2001, August 29, 2001.
  5. FIL-106-2001, December 20, 2001.
Interagency Examination Procedures for Reviewing Compliance with Part 332.
§506(a). Amendment – Section 621 of the Fair Credit Reporting Act is amended. Vol. 65, 63120 - 63141 (October 20, 2000) Proposed Rule, Fair Credit Reporting Regulations. Part 334 – Fair Credit Reporting. (Note: The federal banking regulators anticipate issuing a new proposed rulemaking for public comments in response to comments received on the October 20, 2000 proposal.)
  1. FIL-71-2000, October 26, 2000.
  2. FIL-26-2001, March 27, 2001.
 DCA Memorandum Transmittal Number DCA-00-009, Revised Interagency Examination Procedures for the Fair Credit Reporting Act, directs the resumption of routine examinations for compliance with the FCRA.

Source: OIG Analysis.

Table 2b: FDIC Rules, Guidance, and Implementing Procedures for Major GLBA Title V Privacy Provisions (Subtitle B – Fraudulent Access to Financial Information)

Title V Federal Register FDIC Rules and Regulations Financial Institution Letters DSC Examination Procedures
§525. Agencies to issue guidelines to ensure consistency with Subtitle B. Not Applicable (Note: This section of GLBA Title V did not require the creation of an FDIC rule and regulation or standard.) Not Applicable FIL-39-2001, May 9, 2001. Discussed in Finding B.

Source: OIG Analysis.

To verify DSC’s implementation, we selected and reviewed examination workpapers for a judgmental sample of 11 IT examinations. In all cases, we confirmed that the examination team used the appropriate examination procedures -- IT MERIT, IT General Work Program, or alternative procedures -- based on the complexity and risk of the financial institution’s technology functions. (Note: Of the 11 IT examinations we reviewed, 6 were Type I, Type II, or Type III financial institutions, and examiners used the appropriate MERIT or IT General Work Program procedures; 2 were Type IV financial institutions, and examiners used the FFIEC Work Programs, as supplemented by other procedures; 2 were data processing servicers; and 1 was a visitation.)

Internal Quality Assurance Review of the Privacy Examination Process

DSC’s Internal Control Review Section (ICRS) issued a Report on the Quality Assurance Review of the Privacy Examination Process, dated December 2002, which addressed compliance examinations of privacy notice requirements conducted at FDIC-supervised financial institutions during the first 3 months of 2002. The report identified the following findings: (1) workpaper documentation did not consistently demonstrate that a thorough privacy examination was completed; (2) examination procedures were not consistently employed to conduct privacy examinations; and (3) time associated with conducting the privacy examination was not consistently reported in the Scheduling Hours and Reporting Package, a DSC system used to monitor examination resources.

DSC developed an Action Plan to address the report findings and sent the Action Plan to Regional Directors and Deputy Regional Directors (Compliance) on May 16, 2003. The Action Plan conveyed clarifying information regarding GLBA Title V and identified responsibilities and actions to be taken by management and examination staff to ensure improvements to the privacy examination process. Table 3 presents a summary of the actions planned by DSC to address the ICRS’s findings.

Table 3: DSC Action Plan Items

Item Number Action Planned
1. Using approved interagency procedures to conduct privacy examinations.
2. Interviewing institution management to determine whether written policies and procedures reflect actual practices.
3. Requesting and reviewing joint marketing agreements between the bank and third parties.
4. Preparing a scope memorandum for the entire compliance examination.
5. Preparing and filing examiner summaries with the workpapers.
6. Establishing a baseline measurement that documents the degree to which each region has complied with actions 1-5 mentioned above.
7. Ensuring that privacy issues are discussed in routine regional meetings and conference calls, as applicable.
8. Identifying a privacy subject matter expert in each region and privacy points-of-contact in each of the field offices.
9. Emphasizing privacy during Commissioned Compliance Examiner Workshops.
10. Preparing a “Job Aid” to be used by examiners for interviewing bank staff.
11. Conduct a follow-up review of the privacy examination process in October 2003.

Source: DSC’s May 16, 2003 Memorandum to Regional Directors and Deputy Regional Directors (Compliance) from Deputy Director for Compliance and Consumer Protection.

For this evaluation, we did not review examination workpapers for privacy notice requirements examinations because DSC was in the process of developing its Action Plan when we started our review.

DSC Views on Financial Institutions’ Compliance with GLBA

DSC officials responsible for IT examinations in FDIC’s San Francisco Regional Office and Chicago Regional Office told us that the majority of FDIC-supervised financial institutions have adopted some type of information security program as required under GLBA and the implementing regulations. The examiners in the San Francisco Regional Office have encountered a few isolated instances where financial institutions were in substantial noncompliance with the standards for safeguarding customer information. For example, the examiners found either an inadequate assessment or no comprehensive risk assessment, lack of testing and monitoring of key controls, weak vendor/service provider oversight programs, and failure to provide for adequate reporting to the Board of Directors. Chicago Regional Office officials said that financial institutions’ information security programs usually fall short of fully complying with the GLBA requirements. The Chicago Regional Office’s examination findings often indicate that the information security program does not include all necessary elements; risk assessments are incomplete and/or informal; audits do not fully test key controls, systems, and procedures; and employee training and awareness initiatives are limited and infrequent.

Currently, DSC does not maintain formal statistics on instances of apparent noncompliance with standards for safeguarding customer information identified during IT examinations. Although we are not making formal recommendations in this regard, such statistics could be helpful in identifying emerging issues and trends and in assessing whether the IT examination program is achieving its desired outcomes. We encourage DSC to begin maintaining basic statistics.

The DSC does generate and maintain statistical information on noncompliance with privacy notice requirements identified during compliance examinations. We obtained summary information on the number and description of privacy notice deficiencies identified during compliance examinations conducted within the first year of the GLBA Title V enactment. Approximately 5 percent of the institutions that underwent a compliance examination were cited for a violation of FDIC Rules and Regulations, Part 332. Generally, the smaller the institution, the more often examiners found violations of Part 332. Some of the violations identified were related to the following sections of Part 332:

  • Section 332.6 – Information to be Included in Privacy Notices.
  • Section 332.4 – Initial Privacy Notice to Consumers.
  • Section 332.7 – Form of Opt Out Notice to Consumers and Opt Out Methods.
  • Section 332.12 – Limits on Sharing Account Number Information for Marketing Purposes.

The DSC’s statistics for compliance examinations conducted in 2002 and early 2003 show the most common deficiencies tend to deal with the omission of information from banks’ privacy notices and incorrect disclosures of information wherein information in a privacy notice does not always accurately reflect a financial institution’s information-sharing practices.

FINDING B: DSC’S EXAMINATION PROCEDURES FOR GLBA TITLE V -- PRIVACY

The FDIC has made progress in implementing the GLBA’s Title V provisions related to safeguarding customer information and privacy notice requirements, yet enhancements are needed in the examination process to ensure financial institutions have controls in place to prevent unauthorized disclosure of customer financial information and to provide consistency in assessing and reporting a financial institution’s compliance with standards for safeguarding customer information. DSC’s IT examination procedures do not include steps designed to explicitly assess financial institutions’ compliance with the guidance issued for Subtitle B. Without specific procedures, examinations may not be adequately assessing financial institutions’ compliance with GLBA privacy provisions to prevent and detect fraudulent access to financial information. Moreover, DSC’s IT General Work Program does not always specifically designate those procedures relevant to determining a financial institution’s compliance with safeguarding standards (Subtitle A). Without specific procedures designated as addressing GLBA, the DSC cannot be assured that examiners will consider all relevant examination procedures in assessing a financial institution’s compliance with the standards. Finally, to promote consistency in reporting financial institutions’ compliance with these standards, DSC national guidance is needed to standardize differing instructions provided to examiners by regional and headquarters officials.

Subtitle B – Fraudulent Access to Financial Information

According to Section 525 in Subtitle B, the FDIC and other federal banking regulators are to review their regulations and guidelines to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect fraudulent access to such information. In response to these requirements, the FDIC and the other federal banking regulators issued guidance on how banking organizations should protect customer information against identity theft and pretext calling. The FDIC advised the financial institutions of Guidance on Identity Theft and Pretext Calling through FIL 39-2001 on May 9, 2001, and identified the guidance as a supplement to FDIC guidelines on customer information security, issued February 1, 2001, pursuant to Section 501(b) of the GLBA.

The Guidance on Identity Theft and Pretext Calling provides steps that financial institutions should take to safeguard customer information and reduce the risk of loss from identity theft and pretext calling, including the following:

  • Establishing procedures to verify the identity of individuals applying for financial products.
  • Establishing procedures to prevent fraudulent activities related to customer information.
  • Maintaining a customer information security program.
  • Reporting suspected identity theft and pretext calling through Suspicious Activity Reports (SAR).
  • Making available to customers information about how to prevent identity theft.

However, DSC’s examination procedures do not identify steps specifically designed to review a financial institution’s compliance with the guidance on pretext calling. For example, the work program could include procedures to review:

  • the measures taken by the financial institution to reduce the incidence of pretext calling, including limiting the circumstances under which customer information may be disclosed by telephone;
  • the financial institution’s training activities to determine whether employees are made aware of ways to recognize and report possible indicators of attempted pretext calling; or
  • a financial institution’s level of activity in identifying and tracking known or suspected criminal violations related to pretext calling and reporting such violations in a SAR.

Until the DSC establishes specific procedures for protecting customer financial information from unauthorized disclosure, examinations may not adequately assess financial institutions’ compliance with guidance to prevent and detect fraudulent access to financial information. The statutory requirements of Subtitle B do not explicitly require agencies to examine financial institutions’ compliance with guidance on identity theft and pretext calling. However, the legislative history of the GLBA Title V indicates a congressional expectation that federal banking regulators should examine financial institutions’ compliance with regulators’ guidance and the adequacy of those financial institutions’ controls relative to preventing and detecting pretext calling. According to the House Commerce Committee Report (H.R. Report No. 106-74, pt. 3, (1999)), Subtitle B provides additional protections against pretext calling by increasing the then-existing penalties for fraudulent information gathering and gives the FTC specific directions to prosecute violations. (Note: The enacted version of Subtitle B includes the National Credit Union Administration in Section 525 and provides the federal banking regulators with administrative enforcement powers with respect to financial institutions under their respective jurisdictions.) The report states that, “Subtitle B recognizes the importance of financial institutions implementing strong internal controls to prevent unauthorized disclosure of their customers’ private financial information.” Regarding Section 525 of Subtitle B, the congressional report indicates:

This section requires each Federal banking agency and the SEC [Securities and Exchange Commission] or self-regulatory organizations to review its regulations and guidelines governing the protection of confidential consumer financial information and to revise such provisions as necessary to ensure appropriate confidentiality safeguards. Those safeguards will include those policies, procedures, and controls as would reasonably be expected to prevent and detect activities proscribed by the legislation. The Committee expects the appropriate examining authorities to include compliance with such guidelines and the adequacy of such internal controls in their examinations of these institutions [emphasis added].

DSC officials told us that Bank Secrecy Act (BSA) examination procedures include steps for verification of controls and issuance of SARs; these areas relate to protecting customer information. Further, DSC’s IT examination work programs include procedures related to reviewing a financial institution’s information security program -- one of the safeguards identified in the guidance on pretext calling. However, DSC’s IT examination work programs do not specifically or clearly identify the information security program steps or other procedures that would assist examiners in determining compliance with the guidance on identity theft and pretext calling.

DSC officials acknowledge that IT examination work programs do not specifically include procedures for determining a financial institution’s compliance with guidance on pretext calling. However, DSC officials were not certain which examination (i.e., IT examination, safety and soundness, or compliance) should include these procedures. Accordingly, our recommendation to include steps for assessing financial institutions’ compliance with the guidance on pretext calling references DSC’s examination procedures in general rather than a specific type of examination.

Procedures for Examining Standards for Safeguarding Customer Information

The FDIC initially advised financial institutions of its examination procedures to evaluate compliance with the standards for safeguarding customer information through FIL-68-2001, dated August 24, 2001. These examination procedures were developed on an interagency basis to promote consistency among the federal banking regulators. The DSC distributed the interagency procedures to its examiners through RDM 2001-032 on August 28, 2001.

The interagency procedures included the following examination objective: “Determine whether the financial institution has established an adequate written Information Security Program and whether the program complies with the Guidelines Establishing Standards for Safeguarding Customer Information mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999.” The interagency procedures contained key questions and considerations that examiners should take into account when assessing the adequacy of a financial institution’s information security program and grouped the work steps into five categories addressing the major provisions of the standards for safeguarding customer information. Table 4 shows the five categories and examples of a key question for each category.

Table 4: Interagency Procedures – Categories and Key Questions

Category Key Question
Determine the involvement of the Board of Directors in the Information Security Program. Has the Board or its designated committee approved a written Corporate Information Security Program that meets the requirements of the Information Security Guidelines?
Evaluate the risk assessment process. How does the institution assess risk to its customer information systems and nonpublic customer information?
Evaluate the adequacy of the program to manage and control risk. Review internal controls and policies. Are the controls adequate to support risk mitigation judgments?
Assess the measures taken to oversee service providers. Do contracts require service providers to implement appropriate measures to meet the objectives of the standards for safeguarding customer information?
Determine whether an effective process exists to adjust the information security program. Does the institution have an effective process to adjust the information security program as needed? Is the appropriate person assigned responsibility for adjusting the program?

Source: RDM 2001-032.

The interagency procedures clearly indicated that the work steps were intended to be in support of assessing the financial institutions’ compliance with the standards for safeguarding customer information. The interagency procedures also included steps to summarize the procedures performed and to communicate findings related to assessing compliance with the standards for safeguarding customer information.

In September 2002, the DSC issued new examination guidelines and related streamlined procedures for IT examinations, including two new work programs, IT-MERIT and IT General Work Program. The IT General Work Program replaced various work programs, including the interagency procedures for evaluating the standards for safeguarding customer information. The IT General Work Program consists of work program questions (procedures) that are linked to a “Help” section for examiners to use, when needed. The “Help” section provides a description of the purpose of each work step question and the risk to the financial institution if the question is not addressed or implemented in an acceptable manner.

Unlike the interagency procedures, DSC’s IT General Work Program is not structured to include key questions or considerations that an examiner would take into account in assessing the financial institution’s compliance with the standards for safeguarding customer information. Further, DSC’s new IT examination procedures do not include steps or references to specific procedures in the work program to assess compliance with the standards for safeguarding customer information. In addition, DSC’s examination procedures do not include steps to summarize and communicate the results of the examiner’s work related to evaluating compliance with the standards for safeguarding customer information.

We determined that 42 of the 67 procedures in the IT General Work Program relate to the standards for safeguarding customer information, but we identified only 1 procedure that explicitly references GLBA and 1 procedure that cites a GLBA requirement, namely “Information Security Guidelines.” As shown in Table 5, we identified six references to the topic of safeguarding customer information in the “Help” section of the IT General Work Program.

Table 5: References to the Standards for Safeguarding Customer Information in the IT General Work Program “Help” Section

IT General Work Program Examination Procedure “Help” Section References to GLBA Customer Information Safeguarding
Audit
1d. Does the internal and/or external auditor or designated officer or employee review the following… “Compliance with Section 501(b) of the Gramm-Leach-Bliley Act?”		 Help Section Q1d. – Does the internal and/or external auditor or designated officer review the following...”Compliance with Section 501(b) of the Gramm-Leach-Bliley Act?”
IT Policies
2.1a. Has the board or its designated committee approved a written Corporate Information Security Program that meets the requirements of the Information Security Guidelines? 		Help Section Q2.1a. –
  • Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) of 1999 requires each institution to implement a comprehensive written information security program.
  • For additional information see: FDIC Rules and Regulations – Part 364, Appendix B.
IT Policies
2.1c. Consider the following when evaluating the Risk Assessment process…		 Help Section Q2.1c. (paraphrased) –
  • Accordingly, the GLBA guidelines indicate that institutions should consider the sensitivity of customer information.
  • Under the GLBA guidelines, a financial institution should identify the threats that could result in alteration of customer information systems.
IT Policies
2.1e. Is staff adequately trained to implement the security program?		 Help Section Q2.1e. – Staff should be trained on information security and privacy guidelines promulgated by GLBA.
IT Policies
2.1h. Determine the usefulness of risk assessment reports from management to the board (or its designated committee).		 Help Section Q2.1h. – Each bank should report to its Board on the status of its information security program and the bank’s compliance with the GLBA guidelines.
Support and Delivery
4d. Is computer output (printouts, microfiche, optical disks, etc.) adequately controlled and disposed of?		 Help Section Q4d. – Controls over computer output must meet the requirements of Section 501(b) of the Gramm-Leach-Bliley Act.

Source: OIG Analysis and DSC IT General Work Program.

Table 6 illustrates IT General Work Program procedures that relate to the standards for safeguarding customer information but are not specifically identified in the procedures as related to GLBA.

Table 6: Example of GLBA-Related Examination Procedures that Do Not Reference GLBA

IT General Work Program and
Examination Procedure		 Relates to GLBA Standards (Part 364) for
Safeguarding Customer Information
IT Policies
2.1d. Review written policies and procedures and determine whether the following controls have been considered.		 Each bank shall: (1) identify internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer data or customer information systems; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
Vendor Management
2.2a. Does the bank have a vendor oversight program that includes analyzing financial statements and other reports on its significant vendor(s) and/or servicer(s)?		 Each bank shall oversee service provider arrangements.
Support and Delivery
4a. Is separation of duties and responsibilities adequate in the following areas…		 Each bank shall design its information security program with security measures to include dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information.
Data and Physical Security
4.1i. Are adequate safeguards in effect to ensure that only authorized personnel are permitted in the computer area?		 Each bank shall design its information security program with security measures to include access restrictions at physical locations containing customer information to permit access only to authorized individuals.

Source: OIG Analysis, DSC IT General Work Program, and FDIC Rules and Regulations Part 364, Appendix B.

Without specific procedures designated as addressing GLBA, the DSC cannot be assured that examiners will consider all relevant examination procedures in assessing a financial institution’s compliance with standards for safeguarding customer information.

In regard to reporting a financial institution’s compliance with standards for safeguarding customer information, we noted disparities in DSC’s examination reporting guidance. DSC’s guidance for its new risk-focused IT examination procedures (RDM 2002-043) does not identify the standards for safeguarding customer information reporting requirements. However, DSC guidance (RDM 2001-032), which is still in effect, instructs examiners to note material instances of noncompliance in the report of examination. We also noted that regional DSC guidance varied from instructing examiners to report levels of compliance to instructing examiners to report on instances of noncompliance. Table 7 illustrates the different reporting guidelines.

Table 7: DSC’s Guidelines on GLBA Reporting

Guidelines Reporting Instructions
RDM 2001-032:
Examination Procedures to Evaluate Customer Information Safeguards.		 Material instances of non-compliance should be noted in the report of examination and discussed with bank management. Serious weaknesses and management’s response should be documented where appropriate in the report of examination (i.e., the risk management pages, the Examination Conclusions and Comments page, and the Apparent Violations page).
Region 1. Memorandum from Regional Director to Examiners and Assistant Examiners. In addition to including an introductory paragraph related to a review of safeguarding customer information, each report must address the bank’s compliance with the provisions of section 501(b) of GLBA and Appendix B. The length of the report comment is expected to vary based on the size and complexity of the institution being examined and the number of section 501(b) of GLBA and Appendix B exceptions. In institutions where management is well aware of the GLBA requirements, and is in full compliance, the comment need only state that compliance with GLBA was reviewed and that the bank is in compliance with all requirements.
Region 2. Memorandum from Regional Director to DSC Risk Management Examiners, Assistant Examiners and Professional Staff. When a bank has an acceptable program for the safeguarding of customer information and no material findings are noted, such cases include a brief overview of the program in the confidential section of the Report. If the program has minor deficiencies, a comment ‘recommending that the bank review the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Appendix B to Part 364 of the FDIC Rules and Regulations)’ may be appropriate. When findings are sufficiently deficient, they should be placed on the examination conclusions and supporting pages of the IT Report of Examination.
Region 3. Memorandum from Regional Director to Field Examiners and Regional Office Professional Staff. Examiners should continue to assess compliance with the Guidelines at all Safety and Soundness and/or Information Technology examinations. Weaknesses should generally be documented in the Information Technology Assessment pages; however, material instances of non-compliance may be detailed on the Violations page as a Contravention of Part 364, Appendix B. Material instances of non-compliance should also be brought forward to the Risk Management and Examination Conclusions and Comments pages, where appropriate.

Source: RDM 2001-032 and Regional Guidance.

DSC issued RDM 2001-045, Revised Report of Examination, on October 11, 2001, as guidance for examiners to use in preparing reports of examination. DSC has taken the position that the report of examination in and of itself constitutes adequate documentation of the work performed and provides the basis for conclusions reached. Further, DSC officials stated that the report of examination has been the primary basis and support for legal proceedings. Additionally, the DOS [Division of Supervision] Manual of Examination Policies recognizes that the report of examination generally serves as the FDIC’s primary evidentiary exhibit in formal administrative actions. For these reasons, consistency in reporting on compliance with GLBA Title V privacy provisions is important.

CONCLUSIONS AND RECOMMENDATIONS

Although the FDIC has made progress in implementing the GLBA’s Title V provisions related to safeguarding customer information and privacy notice requirements, the FDIC could take additional steps to help ensure full implementation of the GLBA Title V privacy provisions. To ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect fraudulent access to such information (Subtitle B), DSC needs to identify specific procedures in its examination work programs for examiners to assess the financial institutions’ compliance with guidance on protecting customer information against identity theft. To promote consistency in assessing and reporting on a financial institution’s compliance with standards for safeguarding customer information (Subtitle A), DSC should identify the specific procedures in the IT General Work Program that are designed to assess compliance with the safeguarding standards. Further, DSC should standardize its guidance related to reporting the results of evaluating a financial institution’s compliance with the standards for safeguarding customer information.

We recommend the Director, DSC:

  1. Modify examination procedures to identify steps for assessing financial institutions’ compliance with GLBA Title V, Subtitle B, provisions intended to prevent the unauthorized disclosure of customer financial information and to deter and detect fraudulent access to such information.

  2. Include in the IT General Work Program (a) procedures for summarizing the work performed in the area of GLBA Title V, Subtitle A, provisions for safeguarding customer information and (b) references to the specific procedures that examiners should consider when assessing compliance with those provisions.

  3. Issue guidance to be used by all regions regarding the manner in which a financial institution’s compliance with standards for safeguarding customer information is addressed in a report of examination.

CORPORATION COMMENTS AND OIG EVALUATION

The Director, DSC, provided a written response, dated September 24, 2003, to a draft of this report. DSC’s response is presented in its entirety in Appendix IV to this report. We also had subsequent discussions with DSC staff to clarify aspects of the written response.

DSC concurred with recommendations 1 and 3. DSC partially concurred with recommendation 2, but presented an alternative corrective action that addresses the intent of this recommendation. Specifically, DSC agreed with the intent of recommendation 2 but stated that the IT General Work Program was purposely written in general terms to serve as an all-inclusive document that replaced several existing IT work programs, including examination procedures to evaluate customer information safeguards. To address this recommendation, DSC agreed to issue guidance to examiners in the form of an RDM that will identify specific procedures that examiners should consider when assessing compliance with GLBA Title V, Subtitle A, provisions and procedures for summarizing the work performed in this area. DSC stated that the RDM will be issued by December 31, 2003.

DSC’s comments were responsive, and DSC’s proposed actions are sufficient to resolve the recommendations. The recommendations will remain undispositioned and open for reporting purposes until we have determined that agreed-to corrective actions have been completed and are effective. Appendix V presents a summary table showing DSC’s responses to our three recommendations.

APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY

The objective of our evaluation was to determine whether DSC has made reasonable progress in implementing Title V privacy provisions of the GLBA. This evaluation addressed both Subtitle A – Disclosure of Nonpublic Personal Information and Subtitle B – Fraudulent Access to Financial Information.

To accomplish our objective, we performed the following work:

  • Identified and reviewed laws, regulations, guidance, and procedures related to the FDIC’s responsibilities in the area of consumer financial privacy in order to gain an understanding of FDIC’s responsibilities in implementing GLBA Title V provisions and DSC’s approach to conducting examinations of financial institutions’ compliance with consumer privacy requirements.

    1. Gramm-Leach-Bliley Act of 1999, Title V -- Privacy.
    2. Federal Deposit Insurance Act, Section 8.
    3. FDIC Rules and Regulations, Part 334 Proposed Rule, Fair Credit Reporting Regulations.
    4. FDIC Rules and Regulations, Part 332, Privacy of Consumer Financial Information.
    5. FDIC Rules and Regulations, Part 364, Standards for Safety and Soundness, Appendix B, Interagency Guidelines Establishing Standards for Safeguarding Customer Information.
    6. FDIC Rules and Regulations, Part 308, Subpart R, Submission and Review of Safety and Soundness Compliance Plans and Issuance of Orders to Correct Safety and Soundness Deficiencies.
    7. DSC Regional Directors Memorandum (RDM) 2001-032, dated August 28, 2001, entitled Examination Procedures to Evaluate Customer Information Safeguards.
    8. RDM 2002-043, dated September 30, 2002, entitled Information Technology Maximum Efficiency, Risk-Focused, Institution Targeted (IT-MERIT); and IT General Work Program Guidelines.
    9. RDM 2001-045, dated October 11, 2001, entitled Revised Report of Examination.
    10. Division of Compliance and Consumer Affairs (DCA) Director’s Memorandum DCA 01-002, dated May 18, 2001, entitled Interagency Examination Procedures for Reviewing Compliance with Part 332 – Privacy of Consumer Financial Information.
    11. DSC Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information Safeguards, as of August 28, 2001.
    12. DSC IT Examination Procedures as of September 30, 2002, including: (a) Integrated Examination Guidelines, (b) Technology Profile Script, (c) IT Examination Questionnaire, (d) Request List, (e) IT-MERIT Examination Procedures, and (f) IT General Work Program.
    13. Interagency Examination Procedures for Reviewing Compliance with Part 332 – Privacy of Consumer Financial Information.


  • Coordinated with FDIC OIG Counsel’s office to obtain a legal review or interpretation regarding: (1) evaluation approach; (2) our Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Examination Procedures and related crosswalks; and (3) Subtitle B requirements.

  • Reviewed Financial Institution Letters related to GLBA consumer privacy matters to gain an understanding of GLBA Title V requirements for federal banking regulators and financial institutions.

  • Interviewed DSC officials in Washington, D.C., who are responsible for implementing DSC’s IT and compliance examination approaches for consumer privacy. We interviewed DSC officials in three FDIC regional offices in San Francisco, Chicago, and Dallas/Memphis who are responsible for implementing DSC’s IT examination procedures related to consumer privacy.

  • To verify implementation of DSC’s examination procedures to assess financial institutions’ compliance with the standards for safeguarding customer information, we reviewed examination workpapers for 11 sampled IT examinations. The sample of IT examinations was selected by another OIG Corporate Evaluations team performing the evaluation of Business Continuity at FDIC Supervised Institutions (Assignment Number 2003 006). Due to the common focus of both evaluations, i.e., the IT examination process and the timing of both assignments, we used the sample of IT examinations selected by the team conducting the business continuity evaluation.

  • The sample focused on IT examinations that started after January 1, 2003 and ended before May 22, 2003 in order to capture IT examinations that were conducted after issuance of the revised IT examination guidelines in September 2002. Two exceptions to this scope were: (1) an IT examination that was conducted in 2002, but had a related “visitation” in 2003; and (2) a Multi-Regional Data Processing Servicer (MDPS) examination that was performed in May 2002. This May 2002 MDPS examination was selected because it was the most recent MDPS examination for which the FDIC was the lead agency. To gain an understanding of the relative differences in DSC’s approach, the team conducting the business continuity evaluation judgmentally selected IT examinations for institutions that were located in large metropolitan areas with various asset sizes and complexities.

    Our sample was composed of the following:

    Table in Appendix I: Composition of Sample

    TYPE NUMBER OF SAMPLED INSTITUTIONS
    I 1
    II 1
    III 4
    IV 2
    Data Processing Servicers 2
    Visitation 1


  • For the sampled examinations, we reviewed, when available, the following documents in the examination workpapers:

    • Report of Examination.
    • Technology Profile Script.
    • IT Examination Questionnaire.
    • Request Lists and Entry Letter.
    • Pre-examination planning memorandum.
    • On-site examination procedures and work programs used and examiner’s documentation of work performed.


  • We interviewed the Examiner-in-Charge (EIC) for each of the sampled examinations to obtain an understanding of procedures performed to assess the financial institutions’ compliance with standards for safeguarding customer information.

  • We performed a cursory review of the workpapers related to the examination that was performed in 2002, but had a related “visitation” in 2003. We reviewed the workpapers related to GLBA to determine which procedures were performed in 2002 and at the visitation. In addition, we contacted the EIC for this visitation and asked the standard questions we asked of the other EICs.

  • We gained an understanding of the management control activities associated with the implementation of GLBA Title V by reviewing DSC’s examination procedures and through interviews with DSC management and EICs. Our testing of FDIC’s compliance with laws and regulations was limited to those sections of GLBA Title V applicable to the FDIC. We developed a crosswalk between GLBA Title V and FDIC Rules and Regulations, and DSC’s examination policies and procedures. We did not test for fraud or illegal acts or determine the reliability of computer-processed data obtained from the FDIC’s computerized systems.

  • Our work to address the Government Performance and Results Act included reviewing the FDIC 2001-2006 Strategic Plan to identify any goals related to GLBA Title V -- Privacy. (Note: Pub. L. No. 103-62, codified in titles 5, 31, and 39, U.S.C.) We also reviewed the FDIC’s 2003 Annual Performance Plan, in particular, the plan for the Supervision Program, to identify strategic goals, objectives, or annual performance goals that relate directly to GLBA privacy. The 2001-2006 Strategic Plan and the 2003 Annual Performance Plan included the strategic goal: “Consumers’ rights are protected and FDIC supervised institutions invest in their communities.” However, we did not identify specific goals or objectives that mentioned GLBA Title V -- Privacy provisions.

We performed field work in the DSC headquarters in Washington, D.C.; San Francisco Regional Office; Chicago Regional Office; and Memphis Regional Office. We conducted our evaluation from April 2003 through August 2003, in accordance with generally accepted government auditing standards.

APPENDIX II: ACRONYMS USED IN REPORT

Table in Appendix II: Acronyms Used in Report

Acronym Description
BSA Bank Secrecy Act
DCA Division of Compliance and Consumer Affairs
DSC Division of Supervision and Consumer Protection
ED Examination Documentation
EIC Examiner-In-Charge
FCRA Fair Credit Reporting Act
FDI Act Federal Deposit Insurance Act
FDIC Federal Deposit Insurance Corporation
FFIEC Federal Financial Institutions Examination Council
FIL Financial Institution Letter
FTC Federal Trade Commission
GAO General Accounting Office
GLBA Gramm-Leach-Bliley Act of 1999
H.R. U.S. House of Representatives
ICRS Internal Control and Review Section
IT Information Technology
MDPS Multi-Regional Data Processing Servicer
OIG Office of Inspector General
RDM Regional Directors Memorandum
SAR Suspicious Activity Report

 

APPENDIX III: SUMMARY CROSSWALK OF GLBA TITLE V PROVISIONS TO FDIC RULES AND REGULATIONS AND FDIC PROCEDURES

Table A in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 501. Protection of Nonpublic Personal Information)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
501(a) Privacy Policy. [Financial Institution Responsibility] [Financial Institution Responsibility]
501(b) Financial Institutions Safeguards. Part 364, Standards for Safety and Soundness, Appendix B – Interagency Guidelines Establishing Standards for Safeguarding Customer Information. FIL-22-2001, Guidelines Establishing Standards for Safeguarding Customer Information, dated March 14, 2001, describes the agencies’ expectations for a financial institution to create, implement, and maintain an information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities.

FIL-68-2001, Examination Procedures to Evaluate Customer Information Safeguards, dated August 24, 2001, provided financial institutions the examination procedures to assist them in their compliance efforts.

RDM 2001-032, Examination Procedures to Evaluate Customer Information Safeguards, issued by the FDIC on August 28, 2001, to distribute examination procedures to determine compliance with Appendix B to Part 364.

FIL-118-2002, New Examination Procedures for Assessing Information Technology Risk, dated October 9, 2002, announced new examination procedures for assessing information technology (IT) risk.

RDM 2002-043, Information Technology Maximum Efficiency, Risk-Focused, Institution Targeted (IT-MERIT); and IT General Work Program Guidelines, issued by the FDIC on September 30, 2002:
  • IT-MERIT procedures used for banks with the least technology risk.

  • IT General Work Program used for banks with low to moderate technology risk.

  • IT General Work Program supplemented with FFIEC Work Programs used for banks having fully integrated networking into their operations.

  • FFIEC Work Programs used for banks relying upon networks and other communication systems as a critical element of their operations.
FIL-11-2003, New Information Security Guidance for Examiners and Financial Institutions, dated February 12, 2003, describes the new FFIEC booklet with revised guidance for identifying institutions' information security risks and evaluating their risk-management practices.

Table B in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 502. Obligations with Respect to Disclosures of Personal Information)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
502(a) Notice Requirements. Part 332, Privacy of Consumer Financial Information.

Section 332.1(a) Purpose and scope
  • Requires a financial institution to provide notice to customers about its privacy policies and practices.

  • Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties.

  • Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to exceptions.
FIL-34-2000, Final Rule on the Privacy of Consumers' Financial Information, dated June 5, 2000, notified financial institutions of the issuance of the final rule on the privacy of consumers' financial information.

FIL-3-2001, FDIC Creates Privacy Rule Handbook to Assist Banks With Compliance, dated January 22, 2001, provided a Privacy Rule Handbook, produced by the FDIC, to help financial institutions comply with the final rule governing the privacy of consumer financial information and implement effective consumer privacy policies.

FIL-46-2001, FFIEC Compliance Examination Procedures for Part 332 – “Privacy of Consumer Financial Information,” dated May 17, 2001, announced FFIEC-developed examination procedures to be used to review supervised financial institutions for compliance with the agencies’ regulation on Privacy of Consumer Information.

FDIC’s Division of Compliance and Consumer Affairs (DCA) issued a memorandum (Transmittal No. DCA 01-002) on May 18, 2001, to all DCA staff distributing the approved examination procedures developed by the FFIEC. FFIEC procedures were effective for compliance examinations beginning after July 1, 2001.
  • FFIEC’s examination procedures include steps to: identify the financial institution’s information sharing practices with affiliates and nonaffiliated third parties; determine how the institution treats nonpublic personal information; and determine the manner in which the institution administers its opt-out rules. Depending on the institution’s information-sharing practices, examiners are directed to complete various modules within the procedures. There are six modules. The procedures include an examination checklist containing 50 questions designated for “Yes/No” responses.
FIL-73-2001, Federal Financial Institutions Examination Council CD-ROM on Financial Privacy and Information Security, dated August 29, 2001, distributed a CD ROM that contained 12 multimedia presentations with audio accompaniment addressing consumer financial privacy, including all aspects of the new privacy rule and the 501(b) security guidelines.

FIL-106-2001, Frequently Asked Questions for the Privacy Regulation, dated December 20, 2001, developed with the other federal financial institution regulatory agencies, was issued as answers to "frequently asked questions" that represent clarifications and interpretations of the final rule governing the privacy of consumer financial information.
502(b) Opt Out. Section 332.7 Form of opt out notice to consumers; opt out methods.

Section 332.9 Delivering privacy and opt out notices.

Section 332.13 Exception to opt out requirements for service providers and joint marketing.

Section 332.15 Other exceptions to notice and opt out requirements.		 FFIEC Procedures, Part A and Module 1.
502(c) Limits on Reuse of Information. Section 332.11 Limits on redisclosure and reuse of information. FFIEC Procedures, Part A and Modules 4 and 5.
502(d) Limitations on the Sharing of Account Number Information for Marketing Purposes. Section 332.12 Limits on Sharing account number information for marketing purposes. FFIEC Procedures, Part A and Module 6.
502(e) General Exceptions. Section 332.14 Exceptions to notice and opt out requirements for processing and servicing transactions.

Section 332.15 Other exceptions to notice and opt out requirements.		 FFIEC Procedures, Part A and Module 1.

Table C in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 503. Disclosure of Institution Privacy Policy.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
503(a) Disclosure Required. Section 332.4 Initial privacy notice to consumers required.

Section 332.5 Annual privacy notice to customers required.

Section 332.8 Revised Privacy Notices.

Section 332.9 Delivering privacy and opt out notices.		 FFIEC Procedures, Part A and Module 1.
503(b) Information To Be Included. Section 332.6 Information to be included in privacy notices. FFIEC Procedures, Part A and Module 1.

Table D in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 504. Rulemaking.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
504(a) Regulatory Authority. Part 364, Appendix B, Interagency Guidelines Establishing Standards for Safeguarding Customer Information.

Part 332 Privacy of Consumer Financial Information.

Part 334 Fair Credit Reporting (proposed). 		 
504(b) Authority To Grant Exceptions. Not Applicable OIG Comment: The regulations do not prescribe any “additional exceptions” to subsection (a) through (d) of section 502.
[End of OIG Comment.]

Table E in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 505. Enforcement.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
505(a) In General. Not Applicable – Covered under Section 8 of the FDI Act.  
505(b) Enforcement of Section 501. Section 364.101(b); Part 364, Appendix B. Interagency Guidelines Establishing Standards for Safeguarding Customer Information.

Part 308, Subpart R, Submission and Review of Safety and Soundness Compliance Plans and Issuance of Orders to Correct Safety and Soundness Deficiencies. 		 
505(c) Absence of State Action. Not Applicable  
505(d) Definitions. Not Applicable  

Table F in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 506. Protection of Fair Credit Reporting Act.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
506(a) Amendment.--Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s) is amended. Part 334 – Fair Credit Reporting.

The banking regulators anticipate issuing a new proposed rulemaking for public comments, due to comments being received on the October 20, 2000 proposal. 		OIG Comment: The authority of the federal financial institution regulatory agencies to conduct routine examinations for compliance with the Fair Credit Reporting Act (FCRA) is restored.
[End of OIG Comment.]

Division of Compliance and Consumer Affairs Memorandum Transmittal Number DCA 00-009, Revised Interagency Examination Procedures for the Fair Credit Reporting Act, directs the resumption of routine examinations for compliance with the FCRA.

OIG Comment: Federal banking agencies shall jointly prescribe regulations as necessary to carry out the purposes of FCRA with respect to financial institutions.
[End of OIG Comment.]

FIL-71-2000, Proposed Regulations Implementing the Fair Credit Reporting Act, dated October 26, 2000. This FIL distributes the proposed rule, Part 334, published in the Federal Register (Vol. 65, No. 204, dated October 20, 2000).

FIL-26-2001, Guidance on the Timing and Preparation of Privacy Notices to Conform to Fair Credit Reporting Act Requirements, dated March 27, 2001. This FIL provides guidance on a technical and timing aspect of the proposed rule, Part 334.
506(b) Conforming Amendment. Not Applicable  
506(c) Relation to Other Provisions. Section 332.16 Protection of Fair Credit Report Act.  

Table G in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 507. Relation to State Laws.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
507(a) In General. Section 332.17 Relation to State Laws.  
507(b) Greater Protection Under State Law. Section 332.17 Relation to State Laws.  

Table H in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 508. Study of Information Sharing Among Financial Affiliates.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
508(a) In General. Not Applicable  
508(b) Consultation. Not Applicable  
508(c) Report. Not Applicable  

Table I in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 509. Definitions.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
  Part 364, Appendix B, Section I.C. Definitions

Section 332.3 Definitions 		 

Table J in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle A – Disclosure of Nonpublic Personal Information; 510. Effective Date.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
  Part 364, Appendix B, Section III.G. Implement the Standards

Section 332.18 Effective date; transition rule.		 FIL-68-2001, Examination Procedures to Evaluate Customer Information Safeguards, dated August 24, 2001, stated that the effective date of the Section 501(b) provisions was July 1, 2001.

FIL-34-2000, Final Rule on the Privacy of Consumers' Financial Information, dated June 5, 2000, stated that the rule took effect on November 13, 2000, but financial institutions had until July 1, 2001, to be in mandatory compliance with the regulation.

Table K in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle B – Fraudulent Access to Financial Information; 521. Privacy Protection for Customer Information of Financial Institutions.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
521(a) Prohibition on Obtaining Customer Information by False Pretenses. Not Applicable FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated May 9, 2001.
521(b) Prohibition on Solicitation of a Person to Obtain Customer Information from Financial Institution under False Pretenses. Not Applicable FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated May 9, 2001.
521(c) Nonapplicability to Law Enforcement Agencies. Not Applicable  
521(d) Nonapplicability to Financial Institutions in Certain Cases. Not Applicable  
521(e) Nonapplicability to Insurance Institutions for Investigation of Insurance Fraud. Not Applicable  
521(f) Nonapplicability to Certain Types of Customer Information of Financial Institutions. Not Applicable  
521(g) Nonapplicability to Collection of Child Support Judgments. Not Applicable  

Table L in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle B – Fraudulent Access to Financial Information; 522. Administrative Enforcement.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
522(a) Enforcement by Federal Trade Commission. Not Applicable  
522(b) Enforcement by Other Agencies in Certain Cases. Not Applicable - Covered under Section 8 of the FDI Act.  

Table M in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle B – Fraudulent Access to Financial Information; 523. Criminal Penalty.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
523(a) In General. Not Applicable FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated May 9, 2001.
523(b) Enhanced Penalty for Aggravated Cases. Not Applicable FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated May 9, 2001.

Table N in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle B – Fraudulent Access to Financial Information; 524. Relation to State Laws.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
524(a) In General. Not Applicable  
524(b) Greater Protection Under State Law. Not Applicable  

Table O in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle B – Fraudulent Access to Financial Information; 525. Agency Guidance.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
  Not Applicable FIL-39-2001, Guidance on Identity Theft and Pretext Calling, dated May 9, 2001, summarized federal laws regarding identity theft and pretext calling; discusses measures that banks can take to protect customer information; informs banks on how suspected criminal activity should be reported; highlights the importance of consumer education; and provides references for additional assistance.

OIG Comment: The FDIC has not issued specific examination procedures that address this provision. (Refer to Finding B.)
[End of OIG Comment.]

Table P in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle B – Fraudulent Access to Financial Information; 526. Reports.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
526(a) Report to the Congress. Not Applicable  
526(b) Annual Report by Administering Agencies. Not Applicable  

Table Q in Appendix III: Summary Crosswalk of GLBA Title V Provisions to FDIC Rules and Regulations and FDIC Procedures (Subtitle B – Fraudulent Access to Financial Information; 527. Definitions.)

GLBA Title V Section Number and Heading FDIC Rules and Regulations Financial Institution Letters (FIL) and/or
DSC Examination Procedures
  Not Applicable  

 

APPENDIX IV: CORPORATION COMMENTS

FDIC Federal Deposit Insurance Corporation
Federal Deposit Insurance Corporation
550 17th St. NW, Washington, DC 20429
Division of Supervision and Consumer Protection

September 24, 2003

TO: Stephen M. Beard, Deputy Assistant Inspector General for Audits

FROM: Michael J. Zamorski [Electronically produced version; original signed by Michael J. Zamorski], Director

SUBJECT: DSC Response to OIG Draft Report Entitled The Federal Deposit Insurance Corporation’s Progress in Implementing the Gramm-Leach-Bliley Act Title V-- Privacy Provisions (Assignment No. 2003-033)

The subject draft report from the Office of Inspector General (OIG) includes three recommendations to improve the Division of Supervision and Consumer Protection’s (DSC) approach to implementing the Gramm-Leach-Bliley Act Title V -- Privacy Provisions. Each recommendation is listed below followed by DSC’s response.

  1. Modify examination procedures to identify steps for assessing financial institutions’ compliance with GLBA Title V, Subtitle B, provisions intended to prevent the unauthorized disclosure of customer financial information and to deter and detect fraudulent access to such information.

    DSC concurs with this recommendation. We will incorporate specific examination procedures in to the IT General work program for evaluating a bank’s compliance with the pretext calling guidelines as described in Financial Institution Letter 39-2001, dated May 9, 2001. However, DSC would like to defer any revision of current procedures dealing with this area in order to also incorporate elements of the interagency guidance for financial institution identity theft response programs, which is currently out for comment to the general public (see Financial Institution Letter 63-2003, dated August 12, 2003).

    DSC Action:

    The DSC E-Banking Branch is in the process of performing a periodic review of the IT General Work Program and IT-MERIT procedures. Revisions will be made to accommodate the OIG’s recommendation. This review and edit process will be completed by March 31, 2004.

  2. Include in the IT General Work Program (a) procedures for summarizing the work performed in the area of GLBA Title V, Subtitle A, provisions for safeguarding customer information and (b) references to the specific procedures that examiners should consider when assessing compliance with those provisions.

    DSC partially concurs with this recommendation. The IT General Work Program was purposely written in general terms to serve as an all inclusive document, which replaced several existing IT work programs, including examination procedures to evaluate customer information safeguards. The IT General Work Program eliminated redundancies that existed in the numerous work programs and was written to ensure examiners evaluate all critical risk areas involving IT,