The Division of Supervision and Consumer Protection (DSC) appreciates the opportunity to respond to the Office of Inspector General (OIG) draft report entitled FDIC’s Guidance to Institutions and Examiners for Implementing the Gramm-Leach-Bliley Act (GLBA) Title V and the Fair and Accurate Credit Transactions Act (FACT Act). We are gratified that you found that DSC “has established rules and regulations that appropriately address the GLBA Title V provisions related to the privacy and security of consumer information.” Further, that DSC “provided adequate guidance to FDIC-supervised institutions and established adequate examination guidance and procedures to ensure that these institutions meet GLBA requirements.” With respect to the FACT Act, FDIC continues to be fully engaged in the inter- agency processes to issue joint guidance on remaining items.

OIG RECOMMENDATIONS

We recommend the Director, DSC:

1. Finalize interim examination guidance that addresses FACT Act data security provisions for which final rules and regulations have been issued or that are self-executing.

2. Develop, in coordination with the joint-agency rulemaking committee, a more aggressive project management plan that will expedite the issuance of final rules and regulations for all FACT Act data security provisions.

DSC RESPONSE

DSC concurs, with the intent of your recommendations, and provides the following responses to your recommendations.

1. We are fully committed and are in process of developing and issuing examination guidance. Examination guidance that addresses FACT Act provisions for which final rules and regulations have been issued or that are self-executing will be issued as planned by year-end 2006. For areas to be covered by compliance examinations, procedures which include the self-executing FACT Act provisions have been approved by the FFIEC Consumer Compliance Task Force. These procedures have been provided to compliance examination staff at regional training conferences and other training venues subsequent to their approval. They are being formally distributed to both examination staff and the industry through a Regional Director memorandum and a Financial Institution Letter that are now under review by DSC senior management. These actions will also be completed by year-end 2006.

2. The recommendation suggests that there is one multi-agency rulemaking committee. However, through the FACT Act, Congress directed different groups of agencies to issue rules and guidance in different areas. Where Congress required the FDIC to participate in these efforts, the FDIC is actively participating. Moreover, we are committed to expediting the process. As members of the separate working groups responsible for drafting each set of rules or guidelines, FDIC staff has consistently made efforts to move the process forward. We will continue to promote expedited processes during 2006.

Note: The OIG has characterized its recommendations as applicable to FACT Act “data security provisions.” However, the OIG’s draft report addresses all of the FACT Act provisions, not just those dealing with data security. Consequently, we suggest deleting the references to “data security” from the recommendations and have provided our answers assuming that deletion is made in the final report.