WASHINGTON - Bankers are urging federal regulators not to hold them responsible for the computer security practices of third parties with which they do business.
As required by the Gramm-Leach-Bliley Act of 1999, the four banking agencies in June proposed guidelines for the industry's data systems to protect confidential customer information. Under the proposal, banks would be required to maintain an information security program that matches the institution's size, complexity, and scope of products and services.
Though supportive of the proposal overall in comment letters due last week, industry officials balked at regulators' questioning whether banks should be liable for how customer information is handled by third-party vendors.
"Any obligation to audit, monitor, or inspect would be extremely burdensome to financial institutions and their service providers would be regarded as highly intrusive by service providers, and would significantly increase costs to the institutions and their customers," Richard M. Whiting, executive director and general counsel for the Financial Services Roundtable, wrote Aug. 24.
"Many community banks outsource information - and data-related activities," Charlotte M. Bahin, director of regulatory affairs for America's Community Bankers, wrote in an Aug. 25 letter. "An active policing requirement will limit or may even eliminate activities in which community banks will be able to engage."
In response to regulators' other questions, officials urged them to keep information systems standards in the form of guidelines rather than issue them as regulations.
Banks are currently examined for their information technology procedures, John J. Byrne, senior federal counsel for the American Bankers Association, wrote Aug. 23. "We believe that the goal of having effective policies in security and confidentiality of customer information is already being met by the industry," he said. "The issuance of regulations would simply open up the potential for technical violations, and guidelines have been proven to work effectively."
