Agency Information Collection Activities: Information Collection Renewal; Submission for OMB Review; Guidance Regarding Unauthorized Access to Customer Information

Issuing agencies

Abstract

The OCC, as part of its continuing effort to reduce paperwork and respondent burden, invites comment on a continuing information collection, as required by the Paperwork Reduction Act of 1995 (PRA). In accordance with the requirements of the PRA, the OCC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OCC is soliciting comment concerning the renewal of its information collection titled, "Guidance Regarding Unauthorized Access to Customer Information." The OCC also is giving notice that it has sent the collection to OMB for review.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 152 (Monday, August 11, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 152 (Monday, August 11, 2025)]
[Notices]
[Pages 38696-38697]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-15202]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Submission for OMB Review; Guidance Regarding Unauthorized 
Access to Customer Information

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, as part of its continuing effort to reduce paperwork 
and respondent burden, invites comment on a continuing information 
collection, as required by the Paperwork Reduction Act of 1995 (PRA). 
In accordance with the requirements of the PRA, the OCC may not conduct 
or sponsor, and the respondent is not required to respond to, an 
information collection unless it displays a currently valid Office of 
Management and Budget (OMB) control number. The OCC is soliciting 
comment concerning the renewal of its information collection titled, 
``Guidance Regarding Unauthorized Access to Customer Information.'' The 
OCC also is giving notice that it has sent the collection to OMB for 
review.

DATES: Comments must be received by September 10, 2025.

ADDRESSES: Commenters are encouraged to submit comments by email, if 
possible. You may submit comments by any of the following methods:
    <bullet> Email: <a href="/cdn-cgi/l/email-protection#245456454d4a424b644b47470a50564145570a434b52"><span class="__cf_email__" data-cfemail="d6a6a4b7bfb8b0b996b9b5b5f8a2a4b3b7a5f8b1b9a0">[email&#160;protected]</span></a>.
    <bullet> Mail: Chief Counsel's Office, Attention: Comment 
Processing, Office of the Comptroller of the Currency, Attention: 1557-
0227, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
    <bullet> Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
    <bullet> Fax: (571) 465-4326.
    Instructions: You must include ``OCC'' as the agency name and 
``1557-0227'' in your comment. In general, the OCC will publish 
comments on <a href="http://www.reginfo.gov">www.reginfo.gov</a> without change, including any business or 
personal information provided, such as name and address information, 
email addresses, or phone numbers. Comments received, including 
attachments and other supporting materials, are part of the public 
record and subject to public disclosure. Do not include any information 
in your comment or supporting materials that you consider confidential 
or inappropriate for public disclosure.
    Written comments and recommendations for the proposed information 
collection should also be sent within 30 days of publication of this 
notice to <a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>. You can find this 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.
    You may review comments and other related materials that pertain to 
this information collection following the close of the 30-day comment 
period for this notice by the method set forth in the next bullet.
    <bullet> Viewing Comments Electronically: Go to <a href="http://www.reginfo.gov">www.reginfo.gov</a>. 
Hover over the ``Information Collection Review'' tab and click on 
``Information Collection Review'' from the drop-down menu. From the 
``Currently under Review'' drop-down menu, select ``Department of 
Treasury'' and then click ``submit.'' This information collection can 
be located by searching OMB control number ``1557-0227'' or ``Guidance 
Regarding Unauthorized Access to Customer Information.'' Upon finding 
the appropriate information collection, click on the related ``ICR 
Reference Number.'' On the next screen, select ``View Supporting 
Statement and Other Documents'' and then click on the link

[[Page 38697]]

to any comment listed at the bottom of the screen.
    <bullet> For assistance in navigating <a href="http://www.reginfo.gov">www.reginfo.gov</a>, please 
contact the Regulatory Information Service Center at (202) 482-7340.

FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, Clearance Officer, 
(202) 649-5490, Chief Counsel's Office, Office of the Comptroller of 
the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf, 
hard of hearing, or have a speech disability, please dial 7-1-1 to 
access telecommunications relay services.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501 et seq.), 
Federal agencies must obtain approval from the OMB for each collection 
of information that they conduct or sponsor. ``Collection of 
information'' is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to 
include agency requests or requirements that members of the public 
submit reports, keep records, or provide information to a third party. 
The OCC asks the OMB to extend its approval of the collection in this 
notice.
    Title: Guidance Regarding Unauthorized Access to Customer 
Information.
    OMB Control No.: 1557-0227.
    Type of Review: Regular.
    Affected Public: Businesses or other for-profit.
    Description: Section 501(b) of the Gramm-Leach-Bliley Act (15 
U.S.C. 6801(b)) requires the OCC to establish appropriate standards for 
national banks, Federal savings associations, Federal branches and 
Federal agencies of foreign banks, and any subsidiaries of such 
entities (except brokers, dealers, persons providing insurance, 
investment companies, and investment advisers) relating to 
administrative, technical, and physical safeguards: (1) to insure the 
security and confidentiality of customer records and information; (2) 
to protect against any anticipated threats or hazards to the security 
or integrity of such records; and (3) to protect against unauthorized 
access to, or use of, such records or information that could result in 
substantial harm or inconvenience to any customer.
    The Interagency Guidelines Establishing Information Security 
Standards, 12 CFR part 30, appendix B (Security Guidelines), which 
implement section 501(b), require each entity supervised by the OCC 
(supervised institution) to consider and adopt a response program, as 
appropriate, that specifies actions to be taken when the supervised 
institution suspects or detects that unauthorized individuals have 
gained access to customer information systems.
    The Interagency Guidance on Response Programs for Unauthorized 
Access to Customer Information and Customer Notice (Breach Notice 
Guidance),\1\ which interprets the Security Guidelines, states that, at 
a minimum, a supervised institution's response program should contain 
procedures for:
---------------------------------------------------------------------------

    \1\ 12 CFR part 30, appendix B, supplement A.
---------------------------------------------------------------------------

    (1) Assessing the nature and scope of an incident, and identifying 
what customer information systems and types of customer information 
have been accessed or misused;
    (2) Notifying its primary Federal regulator as soon as possible 
when the supervised institution becomes aware of an incident involving 
unauthorized access to, or use of, sensitive customer information;
    (3) Notifying appropriate law enforcement authorities, in addition 
to filing a timely Suspicious Activity Report in situations involving 
Federal criminal violations requiring immediate attention, such as when 
a reportable violation is ongoing, consistent with the OCC's Suspicious 
Activity Report regulations;
    (4) Taking appropriate steps to contain and control the incident in 
an effort to prevent further unauthorized access to, or use of, 
customer information, for example, by monitoring, freezing, or closing 
affected accounts, while preserving records and other evidence; and
    (5) Notifying customers when warranted.
    The Breach Notice Guidance states that, when a financial 
institution becomes aware of an incident of unauthorized access to 
sensitive customer information, the institution should conduct a 
reasonable investigation to promptly determine the likelihood that the 
information has been or will be misused. If the institution determines 
that the misuse of its information about a customer has occurred or is 
reasonably possible, it should notify the affected customer as soon as 
possible.

Estimated Burden

    Estimated Frequency of Response: On occasion.
    Estimated Number of Respondents: 30.
    Total Estimated Burden Hours: 1,080.
    Comments: On June 3, 2025, the OCC published a 60-day notice for 
this information collection (90 FR 23606). No comments were received.
    Comments continue to be invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the OCC, including whether the 
information has practical utility;
    (b) The accuracy of the OCC's estimate of the burden of the 
collection of information;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.

Eden Gray,
Assistant Director, Office of the Comptroller of the Currency.
[FR Doc. 2025-15202 Filed 8-8-25; 8:45 am]
BILLING CODE 4810-33-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>