About GPO   |   Newsroom/Media   |   Congressional Relations   |   Inspector General   |   Careers   |   Contact   |   askGPO   |   Help  
 
Home   |   Customers   |   Vendors   |   Libraries  

The Electronic Code of Federal Regulations (e-CFR) is a regularly updated, unofficial editorial compilation of CFR material and Federal Register amendments produced by the National Archives and Records Administration's Office of the Federal Register (OFR) and the Government Printing Office.

Parallel Table of Authorities and Rules for the Code of Federal Regulations and the United States Code
Text | PDF

Find, review, and submit comments on Federal rules that are open for comment and published in the Federal Register using Regulations.gov.

Purchase individual CFR titles from the U.S. Government Online Bookstore.

Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.

[1]
 
 

Electronic Code of Federal Regulations

e-CFR Data is current as of November 25, 2014

Title 12Chapter IIISubchapter B → Part 391


Title 12: Banks and Banking


PART 391—FORMER OFFICE OF THRIFT SUPERVISION REGULATIONS


Contents

Subpart A—Security Procedures

§391.1   Authority, purpose, and scope.
§391.2   Designation of security officer.
§391.3   Security program.
§391.4   Report.
§391.5   Protection of customer information.

Subpart B—Safety and Soundness Guidelines and Compliance Procedures

§391.10   Authority, purpose, scope, and preservation of existing authority.
§391.11   Determination and notification of failure to meet safety and soundness standards and request for compliance plan.
§391.12   Filing of safety and soundness compliance plan.
§391.13   Issuance of orders to correct deficiencies and to take or refrain from taking other actions.
§391.14   Enforcement of orders.
Appendix A to Subpart B of Part 391—Interagency Guidelines Establishing Standards for Safety and Soundness
Appendix B to Subpart B of Part 391—Interagency Guidelines Establishing Information Security Standards

Subpart C—Fair Credit Reporting

§391.20   Examples.
§391.21   Disposal of consumer information.
§391.22   Duties regarding the detection, prevention, and mitigation of identity theft.
§391.23   Duties of card issuers regarding changes of address.
Appendix to Subpart C of Part 391—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Subpart D—Loans in Areas Having Special Flood Hazards

§391.30   Authority, purpose, and scope.
§391.31   Definitions.
§391.32   Requirement to purchase flood insurance where available.
§391.33   Exemptions.
§391.34   Escrow requirement.
§391.35   Required use of standard flood hazard determination form.
§391.36   Forced placement of flood insurance.
§391.37   Determination fees.
§391.38   Notice of special flood hazards and availability of Federal disaster relief assistance.
§391.39   Notice of servicer's identity.
Appendix to Subpart D of Part 391—Sample Form of Notice of Special Flood Hazards and Availability of Federal Disaster Relief Assistance

Subpart E—Acquisition of Control of State Savings Associations

§391.40   Scope of subpart.
§391.41   Definitions.
§391.42   Acquisition of control of State savings associations.
§391.43   Control.
§391.44   Certifications of ownership.
§391.45   Procedural requirements.
§391.46   Determination by the FDIC.
§391.47   [Reserved]
§391.48   Rebuttal of control agreement.

Authority: 12 U.S.C. 1819 (Tenth).

Subpart A also issued under 12 U.S.C. 1462a; 1463; 1464; 1828; 1831p-1; 1881-1884; 15 U.S.C. 1681w; 15 U.S.C. 6801; 6805.

Subpart B also issued under 12 U.S.C. 1462a; 1463; 1464; 1828; 1831p-1; 1881-1884; 15 U.S.C.1681w; 15 U.S.C. 6801; 6805.

Subpart C also issued under 12 U.S.C. 1462a; 1463; 1464; 1828; 1831p-1; and 1881-1884; 15 U.S.C. 1681m; 1681w.

Subpart D also issued under 12 U.S.C. 1462; 1462a; 1463; 1464; 42 U.S.C. 4012a; 4104a; 4104b; 4106; 4128.

Subpart E also issued under 12 U.S.C. 1467a; 1468; 1817; 1831i.

Source: 76 FR 47811, Aug. 5, 2011, unless otherwise noted.

Subpart A—Security Procedures

§391.1   Authority, purpose, and scope.

(a) This subpart is issued by the Federal Deposit Insurance Corporation (FDIC) under section 3 of the Bank Protection Act of 1968 (12 U.S.C 1828), and sections 501 and 505(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805(b)(1)), and section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w). This subpart is applicable to State savings associations. It requires each State savings association to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies and to assist in the identification and prosecution of persons who commit such acts. Section 391.5 is applicable to State savings associations and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). Section 391.5 requires covered institutions to establish and implement appropriate administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

(b) It is the responsibility of a State savings association's board of directors to comply with this regulation and ensure that a written security program for the State savings association's main office and branches is developed and implemented.

§391.2   Designation of security officer.

Within 30 days after the effective date of insurance of accounts, the board of directors of each State savings association shall designate a security officer who shall have the authority, subject to the approval of the board of directors, to develop, within a reasonable time but no later than 180 days, and to administer a written security program for each of the State savings association's offices.

§391.3   Security program.

(a) Contents of security program. The security program shall:

(1) Establish procedures for opening and closing for business and for the safekeeping of all currency, negotiable securities, and similar valuables at all times;

(2) Establish procedures that will assist in identifying persons committing crimes against the State savings association and that will preserve evidence that may aid in their identification and prosecution. Such procedures may include, but are not limited to:

(i) Maintaining a camera that records activity in the office;

(ii) Using identification devices, such as prerecorded serial-numbered bills, or chemical and electronic devices; and

(iii) Retaining a record of any robbery, burglary, or larceny committed against the State savings association;

(3) Provide for initial and periodic training of officers and employees in their responsibilities under the security program and in proper employee conduct during and after a burglary, robbery, or larceny; and

(4) Provide for selecting, testing, operating and maintaining appropriate security devices, as specified in paragraph (b) of this section.

(b) Security devices. Each State savings association shall have, at a minimum, the following security devices:

(1) A means of protecting cash and other liquid assets, such as a vault, safe, or other secure space;

(2) A lighting system for illuminating, during the hours of darkness, the area around the vault, if the vault is visible from outside the office;

(3) Tamper-resistant locks on exterior doors and exterior windows that may be opened;

(4) An alarm system or other appropriate device for promptly notifying the nearest responsible law enforcement officers of an attempted or perpetrated robbery or burglary; and

(5) Such other devices as the security officer determines to be appropriate, taking into consideration:

(i) The incidence of crimes against financial institutions in the area;

(ii) The amount of currency and other valuables exposed to robbery, burglary, or larceny;

(iii) The distance of the office from the nearest responsible law enforcement officers;

(iv) The cost of the security devices;

(v) Other security measures in effect at the office; and

(vi) The physical characteristics of the structure of the office and its surroundings.

§391.4   Report.

The security officer for each State savings association shall report at least annually to the State savings association's board of directors on the implementation, administration, and effectiveness of the security program.

§391.5   Protection of customer information.

State savings associations and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) must comply with the Interagency Guidelines Establishing Information Security Standards set forth in appendix B to subpart B. Supplement A to appendix B to subpart B provides interpretive guidance.

Subpart B—Safety and Soundness Guidelines and Compliance Procedures

§391.10   Authority, purpose, scope, and preservation of existing authority.

(a) Authority. This subpart and the Guidelines in appendices A and B to this subpart are issued by the FDIC under section 39 (section 39) of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p-1) as added by section 132 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) (Pub. L. 102-242, 105 Stat. 2236 (1991)), and as amended by section 956 of the Housing and Community Development Act of 1992 (Pub. L. 102-550, 106 Stat. 3895 (1992)), and as amended by section 318 of the Community Development Banking Act of 1994 (Pub. L. 103-325, 108 Stat. 2160 (1994)). Appendix B to this subpart is further issued under sections 501(b) and 505 of the Gramm-Leach-Bliley Act (Pub. L. 106-102, 113 Stat. 1338 (1999)).

(b) Purpose. Section 39 of the FDI Act requires the FDIC to establish safety and soundness standards. Pursuant to section 39, a State savings association may be required to submit a compliance plan if it is not in compliance with a safety and soundness standard established by guideline under section 39(a) or (b). An enforceable order under section 8 of the FDI Act may be issued if, after being notified that it is in violation of a safety and soundness standard prescribed under section 39, the State savings association fails to submit an acceptable compliance plan or fails in any material respect to implement an accepted plan. This subpart establishes procedures for submission and review of safety and soundness compliance plans and for issuance and review of orders pursuant to section 39. Interagency Guidelines Establishing Standards for Safety and Soundness pursuant to section 39 of the FDI Act are set forth in ppendix A to this subpart. Interagency Guidelines Establishing Information Security Standards are set forth in appendix B to this subpart.

(c) Scope. This subpart and the Interagency Guidelines Establishing Standards for Safety and Soundness as set forth at appendix A to this subpart and the Interagency Guidelines Establishing Information Security Standards at appendix B to this subpart implement the provisions of section 39 of the FDI Act as they apply to State savings associations.

(d) Preservation of existing authority. Neither section 39 of the FDI Act nor this subpart in any way limits the authority of the FDIC under any other provision of law to take supervisory actions to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. Action under section 39 and this subpart may be taken independently of, in conjunction with, or in addition to any other enforcement action available to the FDIC.

§391.11   Determination and notification of failure to meet safety and soundness standards and request for compliance plan.

(a) Determination. The FDIC may, based upon an examination, inspection, or any other information that becomes available to the FDIC, determine that a State savings association has failed to satisfy the safety and soundness standards contained in the Interagency Guidelines Establishing Standards for Safety and Soundness as set forth in appendix A to this subpart or the Interagency Guidelines Establishing Information Security Standards as set forth in appendix B to this subpart.

(b) Request for compliance plan. If the FDIC determines that a State savings association has failed to meet a safety and soundness standard pursuant to paragraph (a) of this section, the FDIC may request by letter or through a report of examination, the submission of a compliance plan. The State savings association shall be deemed to have notice of the request three days after mailing or delivery of the letter or report of examination by the FDIC.

§391.12   Filing of safety and soundness compliance plan.

(a) Schedule for filing compliance plan—(1) In general. A State savings association shall file a written safety and soundness compliance plan with the FDIC within 30 days of receiving a request for a compliance plan pursuant to §391.11(b), unless the FDIC notifies the State savings association in writing that the plan is to be filed within a different period.

(2) Other plans. If a State savings association is obligated to file, or is currently operating under, a capital restoration plan submitted pursuant to section 38 of the FDI Act (12 U.S.C. 1831o), a cease-and-desist order entered into pursuant to section 8 of the FDI Act, a formal or informal agreement, or a response to a report of examination, it may, with the permission of the FDIC, submit a compliance plan under this section as part of that plan, order, agreement, or response, subject to the deadline provided in paragraph (a)(1) of this section.

(b) Contents of plan. The compliance plan shall include a description of the steps the State savings association will take to correct the deficiency and the time within which those steps will be taken.

(c) Review of safety and soundness compliance plans. Within 30 days after receiving a safety and soundness compliance plan under this subpart, the FDIC shall provide written notice to the State savings association of whether the plan has been approved or seek additional information from the State savings association regarding the plan. The FDIC may extend the time within which notice regarding approval of a plan will be provided.

(d) Failure to submit or implement a compliance plan. If a State savings association fails to submit an acceptable plan within the time specified by the FDIC or fails in any material respect to implement a compliance plan, then the FDIC shall, by order, require the State savings association to correct the deficiency and may take further actions provided in section 39(e)(2)(B) of the FDI Act. Pursuant to section 39(e)(3), the FDIC may be required to take certain actions if the State savings association commenced operations or experienced a change in control within the previous 24-month period, or the State savings association experienced extraordinary growth during the previous 18-month period.

(e) Amendment of compliance plan. A State savings association that has filed an approved compliance plan may, after prior written notice to and approval by the FDIC, amend the plan to reflect a change in circumstance. Until such time as a proposed amendment has been approved, the State savings association shall implement the compliance plan as previously approved.

§391.13   Issuance of orders to correct deficiencies and to take or refrain from taking other actions.

(a) Notice of intent to issue order—(1) In general. The FDIC shall provide a State savings association prior written notice of the FDIC's intention to issue an order requiring the State savings association to correct a safety and soundness deficiency or to take or refrain from taking other actions pursuant to section 39 of the FDI Act. The State savings association shall have such time to respond to a proposed order as provided by the FDIC under paragraph (c) of this section.

(2) Immediate issuance of final order. If the FDIC finds it necessary in order to carry out the purposes of section 39 of the FDI Act, the FDIC may, without providing the notice prescribed in paragraph (a)(1) of this section, issue an order requiring a State savings association immediately to take actions to correct a safety and soundness deficiency or to take or refrain from taking other actions pursuant to section 39. A State savings association that is subject to such an immediately effective order may submit a written appeal of the order to the FDIC. Such an appeal must be received by the FDIC within 14 calendar days of the issuance of the order, unless the FDIC permits a longer period. The FDIC shall consider any such appeal, if filed in a timely manner, within 60 days of receiving the appeal. During such period of review, the order shall remain in effect unless the FDIC, in its sole discretion, stays the effectiveness of the order.

(b) Contents of notice. A notice of intent to issue an order shall include:

(1) A statement of the safety and soundness deficiency or deficiencies that have been identified at the State savings association;

(2) A description of any restrictions, prohibitions, or affirmative actions that the FDIC proposes to impose or require;

(3) The proposed date when such restrictions or prohibitions would be effective or the proposed date for completion of any required action; and

(4) The date by which the State savings association subject to the order may file with the FDIC a written response to the notice.

(c) Response to notice— (1) Time for response. A State savings association may file a written response to a notice of intent to issue an order within the time period set by the FDIC. Such a response must be received by the FDIC within 14 calendar days from the date of the notice unless the FDIC determines that a different period is appropriate in light of the safety and soundness of the State savings association or other relevant circumstances.

(2) Contents of response. The response should include:

(i) An explanation why the action proposed by the FDIC is not an appropriate exercise of discretion under section 39 of the FDI Act;

(ii) Any recommended modification of the proposed order; and

(iii) Any other relevant information, mitigating circumstances, documentation, or other evidence in support of the position of the State savings association regarding the proposed order.

(d) The FDIC's consideration of response. After considering the response, the FDIC may:

(1) Issue the order as proposed or in modified form;

(2) Determine not to issue the order and so notify the State savings association; or

(3) Seek additional information or clarification of the response from the State savings association, or any other relevant source.

(e) Failure to file response. Failure by a State savings association to file with the FDIC, within the specified time period, a written response to a proposed order shall constitute a waiver of the opportunity to respond and shall constitute consent to the issuance of the order.

(f) Request for modification or rescission of order. Any State savings association that is subject to an order under this subpart may, upon a change in circumstances, request in writing that the FDIC reconsider the terms of the order, and may propose that the order be rescinded or modified. Unless otherwise ordered by the FDIC, the order shall continue in place while such request is pending before the FDIC.

§391.14   Enforcement of orders.

(a) Judicial remedies. Whenever a State savings association fails to comply with an order issued under section 39 of the FDI Act, the FDIC may seek enforcement of the order in the appropriate United States district court pursuant to section 8(i)(1) of the FDI Act.

(b) Administrative remedies. Pursuant to section 8(i)(2)(A) of the FDI Act, the FDIC may assess a civil money penalty against any State savings association that violates or otherwise fails to comply with any final order issued under section 39 and against any State savings association-affiliated party who participates in such violation or noncompliance.

(c) Other enforcement action. In addition to the actions described in paragraphs (a) and (b) of this section, the FDIC may seek enforcement of the provisions of section 39 of the FDI Act or this part through any other judicial or administrative proceeding authorized by law.

Appendix A to Subpart B of Part 391—Interagency Guidelines Establishing Standards for Safety and Soundness

I. Introduction

   A. Preservation of existing authority.

   B. Definitions.

II. Operational and Managerial Standards

   A. Internal controls and information systems.

   B. Internal audit system.

   C. Loan documentation.

   D. Credit underwriting.

   E. Interest rate exposure.

   F. Asset growth.

   G. Asset quality.

   H. Earnings.

   I. Compensation, fees and benefits.

III. Prohibition on Compensation That Constitutes an Unsafe and Unsound Practice

   A. Excessive compensation.

   B. Compensation leading to material financial loss.

I. Introduction

i. Section 39 of the Federal Deposit Insurance Act1 (FDI Act) requires each Federal banking agency (collectively, the agencies) to establish certain safety and soundness standards by regulation or by guideline for all insured depository institutions. Under section 39, the agencies must establish three types of standards: (1) Operational and managerial standards; (2) compensation standards; and (3) such standards relating to asset quality, earnings, and stock valuation as they determine to be appropriate.

1Section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1) was added by section 132 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), Public Law 102-242, 105 Stat. 2236 (1991), and amended by section 956 of the Housing and Community Development Act of 1992, Public Law 102-550, 106 Stat. 3895 (1992) and section 318 of the Riegle Community Development and Regulatory Improvement Act of 1994, Public Law 103-325, 108 Stat. 2160 (1994).

ii. Section 39(a) requires the agencies to establish operational and managerial standards relating to: (1) Internal controls, information systems and internal audit systems, in accordance with section 36 of the FDI Act (12 U.S.C. 1831m); (2) loan documentation; (3) credit underwriting; (4) interest rate exposure; (5) asset growth; and (6) compensation, fees, and benefits, in accordance with subsection (c) of section 39. Section 39(b) requires the agencies to establish standards relating to asset quality, earnings, and stock valuation that the agencies determine to be appropriate.

iii. Section 39(c) requires the agencies to establish standards prohibiting as an unsafe and unsound practice any compensatory arrangement that would provide any executive officer, employee, director, or principal shareholder of the institution with excessive compensation, fees or benefits and any compensatory arrangement that could lead to material financial loss to an institution. Section 39(c) also requires that the agencies establish standards that specify when compensation is excessive.

iv. If an agency determines that an institution fails to meet any standard established by guideline under subsection (a) or (b) of section 39, the agency may require the institution to submit to the agency an acceptable plan to achieve compliance with the standard. In the event that an institution fails to submit an acceptable plan within the time allowed by the agency or fails in any material respect to implement an accepted plan, the agency must, by order, require the institution to correct the deficiency. The agency may, and in some cases must, take other supervisory actions until the deficiency has been corrected.

v. The agencies have adopted amendments to their rules and regulations to establish deadlines for submission and review of compliance plans.2

2For the Office of the Comptroller of the Currency, these regulations appear at 12 CFR part 30; for the Board of Governors of the Federal Reserve System, these regulations appear at 12 CFR part 263; for the Federal Deposit Insurance Corporation, these regulations appear at 12 CFR part 308, subpart R, and subpart B of part 391.

vi. The following Guidelines set out the safety and soundness standards that the agencies use to identify and address problems at insured depository institutions before capital becomes impaired. The agencies believe that the standards adopted in these Guidelines serve this end without dictating how institutions must be managed and operated. These standards are designed to identify potential safety and soundness concerns and ensure that action is taken to address those concerns before they pose a risk to the Deposit Insurance Fund.

A. Preservation of Existing Authority

Neither section 39 nor these Guidelines in any way limits the authority of the agencies to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. Action under section 39 and these Guidelines may be taken independently of, in conjunction with, or in addition to any other enforcement action available to the agencies. Nothing in these Guidelines limits the authority of the FDIC pursuant to section 38(i)(2)(F) of the FDI Act (12 U.S.C. 1831(o)) and part 325 or part 324, as applicable of Title 12 of the Code of Federal Regulations.

B. Definitions

1. In general. For purposes of these Guidelines, except as modified in the Guidelines or unless the context otherwise requires, the terms used have the same meanings as set forth in sections 3 and 39 of the FDI Act (12 U.S.C. 1813 and 1831p-1).

2. Board of directors, in the case of a state-licensed insured branch of a foreign bank and in the case of a federal branch of a foreign bank, means the managing official in charge of the insured foreign branch.

3. Compensation means all direct and indirect payments or benefits, both cash and non-cash, granted to or for the benefit of any executive officer, employee, director, or principal shareholder, including but not limited to payments or benefits derived from an employment contract, compensation or benefit agreement, fee arrangement, perquisite, stock option plan, postemployment benefit, or other compensatory arrangement.

4. Director shall have the meaning described in 12 CFR 215.2(d).3

3In applying these definitions for State savings associations, State savings associations shall use the terms “State savings association” and “insured State savings association” in place of the terms “member bank” and “insured bank”.

5. Executive officer shall have the meaning described in 12 CFR 215.2(e).4

4See footnote 3 in section I.B.4. of this appendix.

6. Principal shareholder shall have the meaning described in 12 CFR 215.2(m).5

5See footnote 3 in section I.B.4. of this appendix.

II. Operational and Managerial Standards

A. Internal controls and information systems. An institution should have internal controls and information systems that are appropriate to the size of the institution and the nature, scope and risk of its activities and that provide for:

1. An organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies;

2. Effective risk assessment;

3. Timely and accurate financial, operational and regulatory reports;

4. Adequate procedures to safeguard and manage assets; and

5. Compliance with applicable laws and regulations.

B. Internal audit system. An institution should have an internal audit system that is appropriate to the size of the institution and the nature and scope of its activities and that provides for:

1. Adequate monitoring of the system of internal controls through an internal audit function. For an institution whose size, complexity or scope of operations does not warrant a full scale internal audit function, a system of independent reviews of key internal controls may be used;

2. Independence and objectivity;

3. Qualified persons;

4. Adequate testing and review of information systems;

5. Adequate documentation of tests and findings and any corrective actions;

6. Verification and review of management actions to address material weaknesses; and

7. Review by the institution's audit committee or board of directors of the effectiveness of the internal audit systems.

C. Loan documentation. An institution should establish and maintain loan documentation practices that:

1. Enable the institution to make an informed lending decision and to assess risk, as necessary, on an ongoing basis;

2. Identify the purpose of a loan and the source of repayment, and assess the ability of the borrower to repay the indebtedness in a timely manner;

3. Ensure that any claim against a borrower is legally enforceable;

4. Demonstrate appropriate administration and monitoring of a loan; and

5. Take account of the size and complexity of a loan.

D. Credit underwriting. An institution should establish and maintain prudent credit underwriting practices that:

1. Are commensurate with the types of loans the institution will make and consider the terms and conditions under which they will be made;

2. Consider the nature of the markets in which loans will be made;

3. Provide for consideration, prior to credit commitment, of the borrower's overall financial condition and resources, the financial responsibility of any guarantor, the nature and value of any underlying collateral, and the borrower's character and willingness to repay as agreed;

4. Establish a system of independent, ongoing credit review and appropriate communication to management and to the board of directors;

5. Take adequate account of concentration of credit risk; and

6. Are appropriate to the size of the institution and the nature and scope of its activities.

E. Interest rate exposure. An institution should:

1. Manage interest rate risk in a manner that is appropriate to the size of the institution and the complexity of its assets and liabilities; and

2. Provide for periodic reporting to management and the board of directors regarding interest rate risk with adequate information for management and the board of directors to assess the level of risk.

F. Asset growth. An institution's asset growth should be prudent and consider:

1. The source, volatility and use of the funds that support asset growth;

2. Any increase in credit risk or interest rate risk as a result of growth; and

3. The effect of growth on the institution's capital.

G. Asset quality. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to identify problem assets and prevent deterioration in those assets. The institution should:

1. Conduct periodic asset quality reviews to identify problem assets;

2. Estimate the inherent losses in those assets and establish reserves that are sufficient to absorb estimated losses;

3. Compare problem asset totals to capital;

4. Take appropriate corrective action to resolve problem assets;

5. Consider the size and potential risks of material asset concentrations; and

6. Provide periodic asset reports with adequate information for management and the board of directors to assess the level of asset risk.

H. Earnings. An insured depository institution should establish and maintain a system that is commensurate with the institution's size and the nature and scope of its operations to evaluate and monitor earnings and ensure that earnings are sufficient to maintain adequate capital and reserves. The institution should:

1. Compare recent earnings trends relative to equity, assets, or other commonly used benchmarks to the institution's historical results and those of its peers;

2. Evaluate the adequacy of earnings given the size, complexity, and risk profile of the institution's assets and operations;

3. Assess the source, volatility, and sustainability of earnings, including the effect of nonrecurring or extraordinary income or expense;

4. Take steps to ensure that earnings are sufficient to maintain adequate capital and reserves after considering the institution's asset quality and growth rate; and

5. Provide periodic earnings reports with adequate information for management and the board of directors to assess earnings performance.

I. Compensation, fees and benefits. An institution should maintain safeguards to prevent the payment of compensation, fees, and benefits that are excessive or that could lead to material financial loss to the institution.

III. Prohibition on Compensation That Constitutes an Unsafe and Unsound Practice

A. Excessive Compensation

Excessive compensation is prohibited as an unsafe and unsound practice. Compensation shall be considered excessive when amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director, or principal shareholder, considering the following:

1. The combined value of all cash and non-cash benefits provided to the individual;

2. The compensation history of the individual and other individuals with comparable expertise at the institution;

3. The financial condition of the institution;

4. Comparable compensation practices at comparable institutions, based upon such factors as asset size, geographic location, and the complexity of the loan portfolio or other assets;

5. For postemployment benefits, the projected total cost and benefit to the institution;

6. Any connection between the individual and any fraudulent act or omission, breach of trust or fiduciary duty, or insider abuse with regard to the institution; and

7. Any other factors the agencies determines to be relevant.

B. Compensation Leading to Material Financial Loss

Compensation that could lead to material financial loss to an institution is prohibited as an unsafe and unsound practice.

[76 FR 47811, Aug. 5, 2011, as amended at 78 FR 55598, Sept. 10, 2013]

Appendix B to Subpart B of Part 391—Interagency Guidelines Establishing Information Security Standards

Table of Contents

I. Introduction

   A. Scope

   B. Preservation of Existing Authority

   C. Definitions

II. Standards for Safeguarding Customer Information

   A. Information Security Program

   B. Objectives

III. Development and Implementation of Customer Information Security Program

   A. Involve the Board of Directors

   B. Assess Risk

   C. Manage and Control Risk

   D. Oversee Service Provider Arrangements

   E. Adjust the Program

   F. Report to the Board

   G. Implement the Standards

I. Introduction

The Interagency Guidelines Establishing Information Security Standards (Guidelines) set forth standards pursuant to section 39(a) of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), and sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805(b)). These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. These Guidelines also address standards with respect to the proper disposal of consumer information, pursuant to section 628 of the Fair Credit Reporting Act (15 U.S.C. 1681w).

A. Scope. The Guidelines apply to customer information maintained by or on behalf of entities over which FDIC has authority. For purposes of this appendix, these entities are State savings associations whose deposits are FDIC-insured and any subsidiaries of such State savings associations, except brokers, dealers, persons providing insurance, investment companies, and investment advisers. This appendix refers to such entities as “you”. These Guidelines also apply to the proper disposal of consumer information by or on behalf of such entities.

B. Preservation of Existing Authority. Neither section 39 nor these Guidelines in any way limit FDIC's authority to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. FDIC may take action under section 39 and these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to FDIC.

C. Definitions. 1. Except as modified in the Guidelines, or unless the context otherwise requires, the terms used in these Guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p-1).

2. For purposes of the Guidelines, the following definitions apply:

a. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by you or on your behalf for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.

i. Examples. (1) Consumer information includes:

(A) A consumer report that a State savings association obtains;

(B) Information from a consumer report that you obtain from your affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;

(C) Information from a consumer report that you obtain about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;

(D) Information from a consumer report that you obtain about an individual who guarantees a loan (including a loan to a business entity); or

(E) Information from a consumer report that you obtain about an employee or prospective employee.

(2) Consumer information does not include:

(A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or

(B) Blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes.

b. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d).

c. Customer means any consumer who has a customer relationship with you.

d. Customer information means any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that you maintain or that is maintained on your behalf.

e. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.

f. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information, through its provision of services directly to you.

II. Standards for Information Security

A. Information Security Program. You shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to your size and complexity and the nature and scope of your activities. While all parts of your organization are not required to implement a uniform set of policies, all elements of your information security program must be coordinated.

B. Objectives. Your information security program shall be designed to:

1. Ensure the security and confidentiality of customer information;

2. Protect against any anticipated threats or hazards to the security or integrity of such information;

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and

4. Ensure the proper disposal of customer information and consumer information.

III. Development and Implementation of Information Security Program

A. Involve the Board of Directors. Your board of directors or an appropriate committee of the board shall:

1. Approve your written information security program; and

2. Oversee the development, implementation, and maintenance of your information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

B. Assess Risk. You shall:

1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.

2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.

3. Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

C. Manage and Control Risk. You shall:

1. Design your information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of your activities. You must consider whether the following security measures are appropriate for you and, if so, adopt those measures you conclude are appropriate:

a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.

b. Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;

c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;

d. Procedures designed to ensure that customer information system modifications are consistent with your information security program;

e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;

f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;

g. Response programs that specify actions for you to take when you suspect or detect that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and

h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

2. Train staff to implement your information security program.

3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by your risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

4. Develop, implement, and maintain, as part of your information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements in this paragraph III.

D. Oversee Service Provider Arrangements. You shall:

1. Exercise appropriate due diligence in selecting your service providers;

2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and

3. Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, you should review audits, summaries of test results, or other equivalent evaluations of your service providers.

E. Adjust the Program. You shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of your customer information, internal or external threats to information, and your own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.

F. Report to the Board. You shall report to your board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and your compliance with these Guidelines. The reports should discuss material matters related to your program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program.

G. Implement the Standards. 1. Effective date. You must implement an information security program pursuant to these Guidelines by July 1, 2001.

2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that you have entered into with a service provider to perform services for you or functions on your behalf satisfies the provisions of paragraph III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as you entered into the contract on or before March 5, 2001.

3. Effective date for measures relating to the disposal of consumer information. You must satisfy these Guidelines with respect to the proper disposal of consumer information by July 1, 2005.

4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., your contracts with service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006.

Supplement to Appendix B of Part 391—Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

I. Background

This Guidance1 interprets section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”) and the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”)2 and describes response programs, including customer notification procedures, that a financial institution should develop and implement to address unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. The scope of, and definitions of terms used in, this Guidance are identical to those of the Security Guidelines. For example, the term “customer information” is the same term used in the Security Guidelines, and means any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, maintained by or on behalf of the institution.

1This Guidance is being jointly issued by the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).

212 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2 and part 225, app. F (Board); 12 CFR part 364, app. A and app. B of Subpart B of Part 391 (FDIC). The “Interagency Guidelines Establishing Information Security Standards” were formerly known as “The Interagency Guidelines Establishing Standards for Safeguarding Customer Information.”

A. Interagency Security Guidelines

Section 501(b) of the GLBA required the Agencies to establish appropriate standards for financial institutions subject to their jurisdiction that include administrative, technical, and physical safeguards, to protect the security and confidentiality of customer information.

Accordingly, the Agencies issued Security Guidelines requiring every financial institution to have an information security program designed to:

1. Ensure the security and confidentiality of customer information;

2. Protect against any anticipated threats or hazards to the security or integrity of such information; and

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

B. Risk Assessment and Controls

1. The Security Guidelines direct every financial institution to assess the following risks, among others, when developing its information security program:

a. Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;

b. The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and

c. The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.3

3See Security Guidelines, III.B.

2. Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the financial institution is required to consider the specific security measures enumerated in the Security Guidelines,4 and adopt those that are appropriate for the institution, including:

4See Security Guidelines, III.C.

a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means;

b. Background checks for employees with responsibilities for access to customer information; and

c. Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.5

5See Security Guidelines, III.C.

C. Service Providers

The Security Guidelines direct every financial institution to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.6

6See Security Guidelines, II.B. and III.D. Further, the Agencies note that, in addition to contractual obligations to a financial institution, a service provider may be required to implement its own comprehensive information security program in accordance with the Safeguards Rule promulgated by the Federal Trade Commission (“FTC”), 16 CFR part 314.

II. Response Program

Millions of Americans, throughout the country, have been victims of identity theft.7 Identity thieves misuse personal information they obtain from a number of sources, including financial institutions, to perpetrate identity theft. Therefore, financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information. For example, financial institutions should place access controls on customer information systems and conduct background checks for employees who are authorized to access customer information.8 However, every financial institution should also develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems9 that occur nonetheless. A response program should be a key part of an institution's information security program.10 The program should be appropriate to the size and complexity of the institution and the nature and scope of its activities.

7The FTC estimates that nearly 10 million Americans discovered they were victims of some form of identity theft in 2002. See The Federal Trade Commission, Identity Theft Survey Report, (September 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.

8Institutions should also conduct background checks of employees to ensure that the institution does not violate 12 U.S.C. 1829, which prohibits an institution from hiring an individual convicted of certain criminal offenses or who is subject to a prohibition order under 12 U.S.C. 1818(e)(6).

9Under the Guidelines, an institution's customer information systems consist of all of the methods used to access, collect, store, use, transmit, protect, or dispose of customer information, including the systems maintained by its service providers. See Security Guidelines, I.C.2.d (I.C.2.c for FDIC).

10See FFIEC Information Technology Examination Handbook, Information Security Booklet, Dec. 2002 available at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm. Federal Reserve SR 97-32, Sound Practice Guidance for Information Security for Networks, Dec. 4, 1997; OCC Bulletin 2000-14, “Infrastructure Threats—Intrusion Risks” (May 15, 2000), for additional guidance on preventing, detecting, and responding to intrusions into financial institution computer systems.

In addition, each institution should be able to address incidents of unauthorized access to customer information in customer information systems maintained by its domestic and foreign service providers. Therefore, consistent with the obligations in the Guidelines that relate to these arrangements, and with existing guidance on this topic issued by the Agencies,11 an institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.

11See Federal Reserve SR Ltr. 00-04, Outsourcing of Information and Transaction Processing, Feb. 9, 2000; OCC Bulletin 2001-47, “Third-Party Relationships Risk Management Principles,” Nov. 1, 2001; FDIC FIL 68-99, Risk Assessment Tools and Practices for Information System Security, July 7, 1999; Thrift Bulletin 82a, Third Party Arrangements, Sept. 1, 2004.

A. Components of a Response Program

1. At a minimum, an institution's response program should contain procedures for the following:

a. Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;

b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;

c. Consistent with the Agencies' Suspicious Activity Report (“SAR”) regulations,12 notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;

12An institution's obligation to file a SAR is set out in the Agencies' SAR regulations and Agency guidance. See 12 CFR 21.11 (national banks, Federal branches and agencies); 12 CFR 208.62 (State member banks); 12 CFR 211.5(k) (Edge and agreement corporations); 12 CFR 211.24(f) (uninsured State branches and agencies of foreign banks); 12 CFR 225.4(f) (bank holding companies and their nonbank subsidiaries); 12 CFR part 353 (State non-member banks); and 390.355 (State savings associations). National banks must file SARs in connection with computer intrusions and other computer crimes. See OCC Bulletin 2000-14, “Infrastructure Threats—Intrusion Risks” (May 15, 2000); Advisory Letter 97-9, “Reporting Computer Related Crimes” (November 19, 1997) (general guidance still applicable though instructions for new SAR form published in 65 FR 1229, 1230 (January 7, 2000)). See also Federal Reserve SR 01-11, Identity Theft and Pretext Calling, Apr. 26, 2001; SR 97-28, Guidance Concerning Reporting of Computer Related Crimes by Financial Institutions, Nov. 6, 1997; FDIC FIL 48-2000, Suspicious Activity Reports, July 14, 2000; FIL 47-97, Preparation of Suspicious Activity Reports, May 6, 1997; CEO Memorandum 139, Identity Theft and Pretext Calling, May 4, 2001; CEO Memorandum 126, New Suspicious Activity Report Form, July 5, 2000.

d. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence;13 and

13See FFIEC Information Technology Examination Handbook, Information Security Booklet, Dec. 2002, pp. 68-74.

e. Notifying customers when warranted.

2. Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator. However, an institution may authorize or contract with its service provider to notify the institution's customers or regulator on its behalf.

III. Customer Notice

Financial institutions have an affirmative duty to protect their customers' information against unauthorized access or use. Notifying customers of a security incident involving the unauthorized access or use of the customer's information in accordance with the standard set forth below is a key part of that duty. Timely notification of customers is important to manage an institution's reputation risk. Effective notice also may reduce an institution's legal risk, assist in maintaining good customer relations, and enable the institution's customers to take steps to protect themselves against the consequences of identity theft. When customer notification is warranted, an institution may not forgo notifying its customers of an incident because the institution believes that it may be potentially embarrassed or inconvenienced by doing so.

A. Standard for Providing Notice

When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. However, the institution should notify its customers as soon as notification will no longer interfere with the investigation.

1. Sensitive Customer Information

Under the Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. For purposes of this Guidance, sensitive customer information means a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number.

2. Affected Customers

If a financial institution, based upon its investigation, can determine from its logs or other data precisely which customers' information has been improperly accessed, it may limit notification to those customers with regard to whom the institution determines that misuse of their information has occurred or is reasonably possible. However, there may be situations where the institution determines that a group of files has been accessed improperly, but is unable to identify which specific customers' information has been accessed. If the circumstances of the unauthorized access lead the institution to determine that misuse of the information is reasonably possible, it should notify all customers in the group.

B. Content of Customer Notice

1. Customer notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the institution has done to protect the customers' information from further unauthorized access. In addition, it should include a telephone number that customers can call for further information and assistance.14 The notice also should remind customers of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the institution. The notice should include the following additional items, when appropriate:

14The institution should, therefore, ensure that it has reasonable policies and procedures in place, including trained personnel, to respond appropriately to customer inquiries and requests for assistance.

a. A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;

b. A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer's consumer reports to put the customer's creditors on notice that the customer may be a victim of fraud;

c. A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;

d. An explanation of how the customer may obtain a credit report free of charge; and

e. Information about the availability of the FTC's online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC's Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft.15

15Currently, the FTC Web site for the ID Theft brochure and the FTC Hotline phone number are http://www.consumer.gov/idtheft and 1-877-IDTHEFT. The institution may also refer customers to any materials developed pursuant to section 151(b) of the FACT Act (educational materials developed by the FTC to teach the public how to prevent identity theft).

2. The Agencies encourage financial institutions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies.

C. Delivery of Customer Notice

Customer notice should be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it. For example, the institution may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.

Subpart C—Fair Credit Reporting

§391.20   Examples.

The examples in this subpart are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this subpart. Examples in a section illustrate only the issue described in the section and do not illustrate any other issue that may arise in this subpart.

§391.21   Disposal of consumer information.

(a) Scope. This section applies to State savings associations whose deposits are insured by the Federal Deposit Insurance Corporation (defined as “you”).

(b) In general. You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards, to the extent that you are covered by the scope of the Guidelines.

(c) Rule of construction. Nothing in this section shall be construed to:

(1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or

(2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.

§391.22   Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Scope. This section applies to a financial institution or creditor that is a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation.

(b) Definitions. For purposes of this section and the appendix to subpart C of part 391, the following definitions apply:

(1) Account means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:

(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and

(ii) A deposit account.

(2) The term board of directors includes:

(i) In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.

(3) Covered account means:

(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and

(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

(4) Credit has the same meaning as in 15 U.S.C. 1681a(r)(5).

(5) Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

(6) Customer means a person that has a covered account with a financial institution or creditor.

(7) Financial institution has the same meaning as in 15 U.S.C. 1681a(t).

(8) Identity theft has the same meaning as in 16 CFR 603.2(a).

(9) Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.

(10) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Periodic identification of covered accounts. Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:

(1) The methods it provides to open its accounts;

(2) The methods it provides to access its accounts; and

(3) Its previous experiences with identity theft.

(d) Establishment of an Identity Theft Prevention Program(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

(2) Elements of the Program. The Program must include reasonable policies and procedures to:

(i) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;

(ii) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;

(iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and

(iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

(e) Administration of the Program. Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:

(1) Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;

(2) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;

(3) Train staff, as necessary, to effectively implement the Program; and

(4) Exercise appropriate and effective oversight of service provider arrangements.

(f) Guidelines. Each financial institution or creditor that is required to implement a Program must consider the guidelines in the appendix to this subpart and include in its Program those guidelines that are appropriate.

§391.23   Duties of card issuers regarding changes of address.

(a) Scope. This section applies to an issuer of a debit or credit card (card issuer) that is a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation.

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) Address validation requirements. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1)(i) Notifies the cardholder of the request:

(A) At the cardholder's former address; or

(B) By any other means of communication that the card issuer and the cardholder have previously agreed to use; and

(ii) Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or

(2) Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to §391.22.

(d) Alternative timing of address validation. A card issuer may satisfy the requirements of paragraph (c) of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.

(e) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

Appendix to Subpart C of Part 391—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Section 391.22 requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in §391.22(b)(3), to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of §391.22.

I. The Program

In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

II. Identifying Relevant Red Flags

(a) Risk Factors. A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:

(1) The types of covered accounts it offers or maintains;

(2) The methods it provides to open its covered accounts;

(3) The methods it provides to access its covered accounts; and

(4) Its previous experiences with identity theft.

(b) Sources of Red Flags. Financial institutions and creditors should incorporate relevant Red Flags from sources such as:

(1) Incidents of identity theft that the financial institution or creditor has experienced;

(2) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and

(3) Applicable supervisory guidance.

(c) Categories of Red Flags. The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix.

(1) Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;

(2) The presentation of suspicious documents;

(3) The presentation of suspicious personal identifying information, such as a suspicious address change;

(4) The unusual use of, or other suspicious activity related to, a covered account; and

(5) Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

III. Detecting Red Flags

The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:

(a) Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and

(b) Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts.

IV. Preventing and Mitigating Identity Theft

The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent Web site. Appropriate responses may include the following:

(a) Monitoring a covered account for evidence of identity theft;

(b) Contacting the customer;

(c) Changing any passwords, security codes, or other security devices that permit access to a covered account;

(d) Reopening a covered account with a new account number;

(e) Not opening a new covered account;

(f) Closing an existing covered account;

(g) Not attempting to collect on a covered account or not selling a covered account to a debt collector;

(h) Notifying law enforcement; or

(i) Determining that no response is warranted under the particular circumstances.

V. Updating the Program

Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:

(a) The experiences of the financial institution or creditor with identity theft;

(b) Changes in methods of identity theft;

(c) Changes in methods to detect, prevent, and mitigate identity theft;

(d) Changes in the types of accounts that the financial institution or creditor offers or maintains; and

(e) Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

VI. Methods for Administering the Program

(a) Oversight of Program. Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:

(1) Assigning specific responsibility for the Program's implementation;

(2) Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with §391.22; and

(3) Approving material changes to the Program as necessary to address changing identity theft risks.

(b) Reports. (1) In general. Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with §391.22.

(2) Contents of report. The report should address material matters related to the Program and evaluate issues such as: The effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.

(c) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft.

VII. Other Applicable Legal Requirements

Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:

(a) For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(b) Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;

(c) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and

(d) Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft.

Supplement A to Appendix to Subpart C of Part 391

In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in this Appendix, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts:

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.

3. A consumer reporting agency provides a notice of address discrepancy;

4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries;

b. An unusual number of recently established credit relationships;

c. A material change in the use of credit, especially with respect to recently established credit relationships; or

d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents

5. Documents provided for identification appear to have been altered or forged.

6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.

8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.

9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.

12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is fictitious, a mail drop, or a prison; or

b. The phone number is invalid, or is associated with a pager or answering service.

14. The SSN provided is the same as that submitted by other persons opening an account or other customers.

15. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other persons opening accounts or by other customers.

16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.

17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account

19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account.

20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.

24. The financial institution or creditor is notified that the customer is not receiving paper account statements.

25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account.

Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor

26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Subpart D—Loans in Areas Having Special Flood Hazards

§391.30   Authority, purpose, and scope.

(a) Authority. This subpart is issued pursuant to 12 U.S.C. 1462, 1462a, 1463, 1464, 1819 (Tenth) and 42 U.S.C. 4012a, 4104a, 4104b, 4106, 4128.

(b) Purpose. The purpose of this subpart is to implement the requirements of the National Flood Insurance Act of 1968 and the Flood Disaster Protection Act of 1973, as amended (42 U.S.C. 4001-4129).

(c) Scope. This subpart, except for §§391.35 and 391.37, applies to loans secured by buildings or mobile homes located or to be located in areas determined by the Director of the Federal Emergency Management Agency to have special flood hazards. Sections 391.35 and 391.37 apply to loans secured by buildings or mobile homes, regardless of location.

§391.31   Definitions.

(a) Act means the National Flood Insurance Act of 1968, as amended (42 U.S.C. 4001-4129).

(b) State savings association means, for purposes of this subpart, a State savings association as that term is defined in 12 U.S.C. 1813(b)(3) and any subsidiaries thereof.

(c) Building means a walled and roofed structure, other than a gas or liquid storage tank, that is principally above ground and affixed to a permanent site, and a walled and roofed structure while in the course of construction, alteration, or repair.

(d) Community means a State or a political subdivision of a State that has zoning and building code jurisdiction over a particular area having special flood hazards.

(e) Designated loan means a loan secured by a building or mobile home that is located or to be located in a special flood hazard area in which flood insurance is available under the Act.

(f) Director of FEMA means the Director of the Federal Emergency Management Agency.

(g) Mobile home means a structure, transportable in one or more sections, that is built on a permanent chassis and designed for use with or without a permanent foundation when attached to the required utilities. The term mobile home does not include a recreational vehicle. For purposes of this subpart, the term mobile home means a mobile home on a permanent foundation. The term mobile home includes a manufactured home as that term is used in the NFIP.

(h) NFIP means the National Flood Insurance Program authorized under the Act.

(i) Residential improved real estate means real estate upon which a home or other residential building is located or to be located.

(j) Servicer means the person responsible for:

(1) Receiving any scheduled, periodic payments from a borrower under the terms of a loan, including amounts for taxes, insurance premiums, and other charges with respect to the property securing the loan; and

(2) Making payments of principal and interest and any other payments from the amounts received from the borrower as may be required under the terms of the loan.

(k) Special flood hazard area means the land in the flood plain within a community having at least a one percent chance of flooding in any given year, as designated by the Director of FEMA.

(l) Table funding means a settlement at which a loan is funded by a contemporaneous advance of loan funds and an assignment of the loan to the person advancing the funds.

§391.32   Requirement to purchase flood insurance where available.

(a) In general. A State savings association shall not make, increase, extend, or renew any designated loan unless the building or mobile home and any personal property securing the loan is covered by flood insurance for the term of the loan. The amount of insurance must be at least equal to the lesser of the outstanding principal balance of the designated loan or the maximum limit of coverage available for the particular type of property under the Act. Flood insurance coverage under the Act is limited to the overall value of the property securing the designated loan minus the value of the land on which the property is located.

(b) Table funded loans. A State savings association that acquires a loan from a mortgage broker or other entity through table funding shall be considered to be making a loan for the purposes of this subpart.

§391.33   Exemptions.

The flood insurance requirement prescribed by §391.32 does not apply with respect to:

(a) Any State-owned property covered under a policy of self-insurance satisfactory to the Director of FEMA, who publishes and periodically revises the list of States falling within this exemption; or

(b) Property securing any loan with an original principal balance of $5,000 or less and a repayment term of one year or less.

§391.34   Escrow requirement.

If a State savings association requires the escrow of taxes, insurance premiums, fees, or any other charges for a loan secured by residential improved real estate or a mobile home that is made, increased, extended, or renewed on or after October 1, 1996, the State savings association shall also require the escrow of all premiums and fees for any flood insurance required under §391.32. The State savings association, or a servicer acting on behalf of the State savings association, shall deposit the flood insurance premiums on behalf of the borrower in an escrow account. This escrow account will be subject to escrow requirements adopted pursuant to section 10 of the Real Estate Settlement Procedures Act of 1974 (12 U.S.C. 2609) (RESPA), which generally limits the amount that may be maintained in escrow accounts for certain types of loans and requires escrow account statements for those accounts, only if the loan is otherwise subject to RESPA. Following receipt of a notice from the Director of FEMA or other provider of flood insurance that premiums are due, the State savings association, or a servicer acting on behalf of the State savings association, shall pay the amount owed to the insurance provider from the escrow account by the date when such premiums are due.

§391.35   Required use of standard flood hazard determination form.

(a) Use of form. A State savings association shall use the standard flood hazard determination form developed by the Director of FEMA when determining whether the building or mobile home offered as collateral security for a loan is or will be located in a special flood hazard area in which flood insurance is available under the Act. The standard flood hazard determination form may be used in a printed, computerized, or electronic manner. A State savings association may obtain the standard flood hazard determination form from FEMA, P.O. Box 2012, Jessup, MD 20794-2012.

(b) Retention of form. A State savings association shall retain a copy of the completed standard flood hazard determination form, in either hard copy or electronic form, for the period of time the State savings association owns the loan.

§391.36   Forced placement of flood insurance.

If a State savings association, or a servicer acting on behalf of the State savings association, determines at any time during the term of a designated loan that the building or mobile home and any personal property securing the designated loan is not covered by flood insurance or is covered by flood insurance in an amount less than the amount required under §391.32, then the State savings association or its servicer shall notify the borrower that the borrower should obtain flood insurance, at the borrower's expense, in an amount at least equal to the amount required under §391.32, for the remaining term of the loan. If the borrower fails to obtain flood insurance within 45 days after notification, then the State savings association or its servicer shall purchase insurance on the borrower's behalf. The State savings association or its servicer may charge the borrower for the cost of premiums and fees incurred in purchasing the insurance.

§391.37   Determination fees.

(a) General. Notwithstanding any Federal or State law other than the Flood Disaster Protection Act of 1973, as amended (42 U.S.C. 4001-4129), any State savings association, or a servicer acting on behalf of the State savings association, may charge a reasonable fee for determining whether the building or mobile home securing the loan is located or will be located in a special flood hazard area. A determination fee may also include, but is not limited to, a fee for life-of-loan monitoring.

(b) Borrower fee. The determination fee authorized by paragraph (a) of this section may be charged to the borrower if the determination:

(1) Is made in connection with a making, increasing, extending, or renewing of the loan that is initiated by the borrower;

(2) Reflects the Director of FEMA's revision or updating of floodplain areas or flood-risk zones;

(3) Reflects the Director of FEMA's publication of a notice or compendium that:

(i) Affects the area in which the building or mobile home securing the loan is located; or

(ii) By determination of the Director of FEMA, may reasonably require a determination whether the building or mobile home securing the loan is located in a special flood hazard area; or

(4) Results in the purchase of flood insurance coverage by the lender or its servicer on behalf of the borrower under §391.36.

(c) Purchaser or transferee fee. The determination fee authorized by paragraph (a) of this section may be charged to the purchaser or transferee of a loan in the case of the sale or transfer of the loan.

§391.38   Notice of special flood hazards and availability of Federal disaster relief assistance.

(a) Notice requirement. When a State savings association makes, increases, extends, or renews a loan secured by a building or a mobile home located or to be located in a special flood hazard area, the State savings association shall mail or deliver a written notice to the borrower and to the servicer in all cases whether or not flood insurance is available under the Act for the collateral securing the loan.

(b) Contents of notice. The written notice must include the following information:

(1) A warning, in a form approved by the Director of FEMA, that the building or the mobile home is or will be located in a special flood hazard area;

(2) A description of the flood insurance purchase requirements set forth in section 102(b) of the Flood Disaster Protection Act of 1973, as amended (42 U.S.C. 4012a(b));

(3) A statement, where applicable, that flood insurance coverage is available under the NFIP and may also be available from private insurers; and

(4) A statement whether Federal disaster relief assistance may be available in the event of damage to the building or mobile home caused by flooding in a Federally-declared disaster.

(c) Timing of notice. The State savings association shall provide the notice required by paragraph (a) of this section to the borrower within a reasonable time before the completion of the transaction, and to the servicer as promptly as practicable after the State savings association provides notice to the borrower and in any event no later than the State savings association provides other similar notices to the servicer concerning hazard insurance and taxes. Notice to the servicer may be made electronically or may take the form of a copy of the notice to the borrower.

(d) Record of receipt. The State savings association shall retain a record of the receipt of the notices by the borrower and the servicer for the period of time the State savings association owns the loan.

(e) Alternate method of notice. Instead of providing the notice to the borrower required by paragraph (a) of this section, a State savings association may obtain satisfactory written assurance from a seller or lessor that, within a reasonable time before the completion of the sale or lease transaction, the seller or lessor has provided such notice to the purchaser or lessee. The State savings association shall retain a record of the written assurance from the seller or lessor for the period of time the State savings association owns the loan.

(f) Use of prescribed form of notice. A State savings association will be considered to be in compliance with the requirement for notice to the borrower of this section by providing written notice to the borrower containing the language presented in appendix A to this subpart within a reasonable time before the completion of the transaction. The notice presented in appendix A to this subpart satisfies the borrower notice requirements of the Act.

§391.39   Notice of servicer's identity.

(a) Notice requirement. When a State savings association makes, increases, extends, renews, sells, or transfers a loan secured by a building or mobile home located or to be located in a special flood hazard area, the State savings association shall notify the Director of FEMA (or the Director's designee) in writing of the identity of the servicer of the loan. The Director of FEMA has designated the insurance provider to receive the State savings association's notice of the servicer's identity. This notice may be provided electronically if electronic transmission is satisfactory to the Director of FEMA's designee.

(b) Transfer of servicing rights. The State savings association shall notify the Director of FEMA (or the Director's designee) of any change in the servicer of a loan described in paragraph (a) of this section within 60 days after the effective date of the change. This notice may be provided electronically if electronic transmission is satisfactory to the Director of FEMA's designee. Upon any change in the servicing of a loan described in paragraph (a) of this section, the duty to provide notice under this paragraph (b) shall transfer to the transferee servicer.

Appendix to Subpart D of Part 391—Sample Form of Notice of Special Flood Hazards and Availability of Federal Disaster Relief Assistance

We are giving you this notice to inform you that:

(a) The building or mobile home securing the loan for which you have applied is or will be located in an area with special flood hazards.

(b) The area has been identified by the Director of the Federal Emergency Management Agency (FEMA) as a special flood hazard area using FEMA's Flood Insurance Rate Map or the Flood Hazard Boundary Map for the following community: __. This area has at least a one percent (1%) chance of a flood equal to or exceeding the base flood elevation (a 100-year flood) in any given year. During the life of a 30-year mortgage loan the risk of a 100-year flood in a special flood hazard area is 26 percent (26%).

(c) Federal law allows a lender and borrower jointly to request the Director of FEMA to review the determination of whether the property securing the loan is located in a special flood hazard area. If you would like to make such a request, please contact us for further information.

(d) The community in which the property securing the loan is located participates in the National Flood Insurance Program (NFIP). Federal law will not allow us to make you the loan that you have applied for if you do not purchase flood insurance. The flood insurance must be maintained for the life of the loan. If you fail to purchase or renew flood insurance on the property, Federal law authorizes and requires us to purchase the flood insurance for you at your expense.

  Flood insurance coverage under the NFIP may be purchased through an insurance agent who will obtain the policy either directly through the NFIP or through an insurance company that participates in the NFIP. Flood insurance also may be available from private insurers that do not participate in the NFIP.

  At a minimum, flood insurance purchased must cover the lesser of:

(1) The outstanding principal balance of the loan; or

(2) The maximum amount of coverage allowed for the type of property under the NFIP.

(e) Flood insurance coverage under the NFIP is limited to the overall value of the property securing the loan minus the value of the land on which the property is located.

  Federal disaster relief assistance (usually in the form of a low-interest loan) may be available for damages incurred in excess of your flood insurance if your community's participation in the NFIP is in accordance with NFIP requirements.

(f) Flood insurance coverage under the NFIP is not available for the property securing the loan because the community in which the property is located does not participate in the NFIP. In addition, if the non-participating community has been identified for at least one year as containing a special flood hazard area, properties located in the community will not be eligible for Federal disaster relief assistance in the event of a Federally-declared flood disaster.

Subpart E—Acquisition of Control of State Savings Associations

§391.40   Scope of subpart.

The purpose of this subpart is to implement the provisions of the Change in Bank Control Act, 12 U.S.C. 1817 (j) (“Control Act”), relating to acquisitions and changes in control of State savings associations that are organized in stock form.

§391.41   Definitions.

As used in this subpart and in the forms under this subpart, the following definitions apply, unless the context otherwise requires:

Acquire when used in connection with the acquisition of stock of a State savings association means obtaining ownership, control, power to vote, or sole power of disposition of stock, directly or indirectly or through one or more transactions or subsidiaries, through purchase, assignment, transfer, exchange, succession, or other means, including:

(1) An increase in percentage ownership resulting from a redemption, repurchase, reverse stock split or a similar transaction involving other securities of the same class, and

(2) The acquisition of stock by a group of persons and/or companies acting in concert which shall be deemed to occur upon formation of such group: Provided, That an investment advisor shall not be deemed to acquire the voting stock of its advisee if the advisor:

(i) Votes the stock only upon instruction from the beneficial owner, and

(ii) Does not provide the beneficial owner with advice concerning the voting of such stock.

Acquiror means a person or company.

Acting in concert means:

(1) Knowing participation in a joint activity or interdependent conscious parallel action towards a common goal whether or not pursuant to an express agreement, or

(2) A combination or pooling of voting or other interests in the securities of an issuer for a common purpose pursuant to any contract, understanding, relationship, agreement or other arrangement, whether written or otherwise.

(3) A person or company which acts in concert with another person or company (“other party”) shall also be deemed to be acting in concert with any person or company who is also acting in concert with that other party, except that any tax-qualified employee stock benefit plan as defined in 12 CFR 192.25 will not be deemed to be acting in concert with its trustee or a person who serves in a similar capacity solely for the purpose of determining whether stock held by the trustee and stock held by the plan will be aggregated.

Affiliate means any person or company which controls, is controlled by or is under common control with a person, State savings association, or company.

Company means any corporation, partnership, trust, association, joint venture, pool, syndicate, unincorporated organization, joint-stock company or similar organization, as defined in the definition of similar organization in this section; but a company does not include:

(1) The FDIC or any Federal Home Loan Bank, or

(2) Any company the majority of shares of which is owned by:

(i) The United States or any State;

(ii) An officer of the United States or any State in his or her official capacity;

(iii) An instrumentality of the United States or any State; or

(iv) A savings and loan holding company registered under section 10(b) of the Home Owners' Loan Act.

Controlling shareholder means any person who directly or indirectly or acting in concert with one or more persons or companies, or together with members of his or her immediate family, owns, controls, or holds with power to vote 10 percent or more of the voting stock of a company or controls in any manner the election or appointment of a majority of the company's board of directors.

Immediate family means a person's spouse, father, mother, children, brothers, sisters and grandchildren; the father, mother, brothers, and sisters of the person's spouse; and the spouse of the person's child, brother or sister.

Management official means any president, chief executive officer, chief operating officer, vice president, director, partner, or trustee, or any other person who performs or has a representative or nominee performing similar policymaking functions, including executive officers of principal business units or divisions or subsidiaries who perform policymaking functions, for a State savings association or a company, whether or not incorporated.

Person means an individual or a group of individuals acting in concert who do not constitute a company as defined in this section.

Repealed Control Act means the Change in Savings and Loan Control Act, 12 U.S.C. 1730(q), as in effect immediately prior to its repeal by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989.

Similar organization for purposes company as defined in this section means a combination of parties with the potential for or practical likelihood of continuing rather than temporary existence, where the parties thereto have knowingly and voluntarily associated for a common purpose pursuant to identifiable and binding relationships which govern the parties with respect to either:

(1) The transferability and voting of any stock or other indicia of participation in another entity, or

(2) Achievement of a common or shared objective, such as to collectively manage or control another entity.

State savings association means a state-chartered savings association, building and loan, savings and loan or homestead association or a cooperative bank (other than a cooperative bank described in 12 U.S.C. 1813(a)(2)) the deposits of which are insured by the FDIC, and any corporation (other than a bank) the deposits of which are insured by the FDIC that the FDIC determines to be operating in substantially the same manner as a State savings association.

Stock means common or preferred stock, general or limited partnership shares or interests, or similar interests.

Uninsured institution means any financial institution the deposits of which are not insured by the FDIC.

Voting stock means:

(1) Common or preferred stock, general or limited partnership shares or interests, or similar interests if the shares or interests, by statute, charter or in any manner, entitle the holder:

(i) To vote for or to select directors, trustees, or partners (or persons exercising similar functions of the issuing State savings association or company); or

(ii) To vote or to direct the conduct of the operations or other significant policies of the issuer.

(2) Notwithstanding anything in this definition, preferred stock, limited partnership shares or interests, or similar interests are not voting stock if:

(i) Voting rights associated with the stock, shares or interests are limited solely to the type customarily provided by statute with regard to matters that would significantly and adversely affect the rights or preference of the stock, security or other interest, such as the issuance of additional amounts or classes of senior securities, the modification of the terms of the stock, security or interest, the dissolution of the issuer, or the payment of dividends by the issuer when preferred dividends are in arrears;

(ii) The stock, shares or interests represent an essentially passive investment or financing device and do not otherwise provide the holder with control over the issuer; and

(iii) The stock, shares or interests do not at the time entitle the holder, by statute, charter, or otherwise, to select or to vote for the selection of directors, trustees, or partners (or persons exercising similar functions) of the issuer;

(3) Notwithstanding anything in this definition, voting stock shall be deemed to include stock and other securities that, upon transfer or otherwise, are convertible into voting stock or exercisable to acquire voting stock where the holder of the stock, convertible security or right to acquire voting stock has the preponderant economic risk in the underlying voting stock. Securities immediately convertible into voting stock at the option of the holder without payment of additional consideration shall be deemed to constitute the voting stock into which they are convertible; other convertible securities and rights to acquire voting stock shall not be deemed to vest the holder with the preponderant economic risk in the underlying voting stock if the holder has paid less than 50 percent of the consideration required to directly acquire the voting stock and has no other economic interest in the underlying voting stock. For purposes of calculating the percentage of voting stock held by a particular acquiror, stock or other securities convertible into voting stock or exercisable to acquire voting stock which are deemed voting stock under this paragraph (3) shall be included in calculating the amount of voting stock held by the acquiror and the total amount of stock outstanding only to the extent of the voting stock obtainable by such acquiror by such conversion or exercise of rights.

§391.42   Acquisition of control of State savings associations.

(a) [Reserved]

(b) Acquisition by a person or company. Unless a transaction is exempt from prior notice under paragraph (d) of this section, no person or company (other than certain persons affiliated with a savings and loan holding company who are subject to §10(e)(4) of the Home Owners' Loan Act), shall acquire control, as defined in §391.43 (a) and (b), of a State savings association until written notice has been provided to the FDIC and (1) the FDIC indicates in writing its intent not to disapprove the proposed acquisition or (2) 60 days (or such period of time as the FDIC may specify if the review period has been extended under §391.45(c)(3)) have passed since receipt of a notice deemed sufficient under §391.45(c)(2). Notwithstanding the forgoing, acquisitions by persons or companies by means of a merger with an interim association are not subject to this subpart, but shall be subject to approval under §390.332, and either 12 CFR 152.13 or applicable state law.

(c) Exempt transactions. (1) [Reserved]

(2) The following transactions are exempt from the notice requirements of paragraph (b) of this section:

(i)(A) Control of a State savings association acquired by a bank holding company that is registered under and subject to, the Bank Holding Company Act of 1956, or any company controlled by such bank holding company;

(B) Control of a State savings association acquired solely as a result of a pledge or hypothecation of stock to secure a loan contracted for in good faith or the liquidation of a loan contracted for in good faith, in either case where such loan was made in the ordinary course of the business of the lender: Provided, further, That acquisition of control pursuant to such pledge, hypothecation or liquidation is reported to the FDIC within 30 days, and Provided, further, That the acquiror shall not retain such control for more than one year from the date on which such control was acquired; however, the FDIC may, upon application by an acquiror, extend such one-year period from year to year, for an additional period of time not exceeding three years, if the FDIC finds such extension is warranted and would not be detrimental to the public interest;

(C) Control of a State savings association acquired through a percentage increase in stock ownership following a pro rata stock dividend or stock split, if the proportional interests of the recipients remain substantially the same;

(D) Acquisition of additional stock after a non-disapproval under §391.46, or any predecessor provision, has been received: Provided, That such acquisition is consistent with any conditions imposed in connection with such approval and with the representations made by the acquirer in its application;

(E) Acquisitions of up to twenty-five percent (25%) of a class of stock by a tax-qualified employee stock benefit plan as defined in 12 CFR 192.25; and

(ii) Transactions for which approval is required under the Home Owners' Loan Act;

(iii) Transactions for which approval is required under 12 CFR 152.13 and 390.332;

(iv) Transactions for which a change of control notice must be submitted to the Board of Governors of the Federal Reserve System pursuant to the Change in Bank Control Act, 12 U.S.C. 1817(j);

(v) Acquisition of additional stock of a State savings association by any person who:

(A) Has held power to vote 25 percent or more of any class of voting stock in such association continuously since March 9, 1979; or

(B) Has maintained control of the State savings association continuously since acquiring control in compliance with the Control Act (or the Repealed Control Act) and the regulations thereunder then in effect: Provided, That such acquisition is consistent with any conditions imposed in connection with such acquisition of control and with the representations made by the acquiror in its notice; and

(vi) [Reserved]

(3) An acquiror that would be considered to be in control of a State savings association pursuant to §391.43 on December 26, 1985, shall not be subject to this §391.42 unless the acquiror acquires additional stock of the State savings association or obtains a control factor with respect to such association after December 26, 1985: Provided, That an acquiror shall not be deemed to have acquired control of a State savings association on the basis of actions taken prior to December 26, 1985, or on the basis of actions taken after December 26, 1985, if such actions are pursuant to and consistent with a materially complete application under the Holding Company Act or notice under the Repealed Control Act filed prior to December 26, 1985, if such acquisition is made pursuant to an application approved under the Holding Company Act or a notice under the Repealed Control Act that was not disapproved.

(d) Transactions exempt from prior approval or notice. (1) Subject to the conditions set forth in paragraph (d)(2) of this section, the following transactions are exempt from prior approval and prior notice under §391.42: Provided, That the timing of the transaction was not within the control of the acquiror.

(i) Control of a State savings association acquired through bona fide gift;

(ii) Control of a State savings association acquired through liquidation of a loan contracted in good faith where the loan was not made in the ordinary course of business of the lender;

(iii) Control of a State savings association acquired through a percentage increase in ownership following a stock split or redemption that was not pro rata;

(iv) Control determined pursuant to §391.43 (a) or (b) as a result of actions by third parties that are not within the control of the acquiror;

(v) Control of a State savings association acquired through testate or intestate succession: Provided, That the acquiror transmits written notification of the acquisition to the FDIC within 60 days of the acquisition and provides such additional information as the FDIC may specifically request.

(2) The exemptions provided by paragraphs (d)(1)(i) through (d)(1)(iv) of this section are subject to the following conditions:

(i) The acquiror shall file a notice or rebuttal, as appropriate, with the FDIC within 90 days of acquisition of control;

(ii) The acquiror shall not take any action to direct the management or policies of the State savings association or which are designed to effect a change in the business plan of the State savings association other than voting on matters that may be presented to stockholders by management of the State savings association until the FDIC has acted favorably upon the acquiror's notice or rebuttal, and the FDIC may require that the acquiror take such steps as the FDIC deems necessary to insure that control is not exercised; and

(iii) If the FDIC disapproves the acquiror's notice or rebuttal, the acquiror shall divest such portion of the stock held by the acquiror so as to cause the acquiror not to be determined to be in control of the State savings association under §391.43, within one year or such shorter period of time and in the manner that the FDIC may order.

§391.43   Control.

(a) Conclusive control. (1) An acquiror shall be deemed to have acquired control of a State savings association, other than a savings and loan holding company, if the acquiror directly or indirectly, through one or more subsidiaries or transactions or acting in concert with one or more persons or companies:

(i) Acquires 25 percent or more of any class of voting stock of the State savings association; or

(ii) Acquires irrevocable proxies representing 25 percent or more of any class of voting stock of the State savings association; or

(iii) Acquires any combination of voting stock and irrevocable proxies representing 25 percent or more of any class of voting stock of a State savings association; or

(iv) [Reserved]

(2) [Reserved]

(4) A person or company shall be deemed to control a State savings association if the FDIC determines that such person has the power to direct the management or policies of the State savings association.

(b) Rebuttable control determinations. (1) An acquiror shall be determined, subject to rebuttal, to have acquired control of a State savings association, if the acquiror directly or indirectly, or through one or more subsidiaries or transactions or acting in concert with one or more persons or companies:

(i) Acquires more than 10 percent of any class of voting stock of the State savings association and is subject to any control factor, as defined in paragraph (c) of this section;

(ii) Acquires 25 percent or more of any class of stock of the State savings association and is subject to any control factor, as defined in paragraph (c) of this section.

(2) An acquiror shall be determined, subject to rebuttal, to have acquired control of a State savings association, if the acquiror directly or indirectly, or through one or more subsidiaries or transactions or acting in concert with one or more persons or companies, holds any combination of voting stock and revocable and/or irrevocable proxies, representing 25 percent or more of any class of voting stock of a State savings association, excluding such proxies held in connection with a solicitation by, or in opposition to, a solicitation on behalf of management of the State savings association, but including a solicitation in connection with an election of directors, and such proxies would enable the acquiror to:

(i) Elect one-third or more of the State savings association's board of directors, including nominees or representatives of the acquiror currently serving on such board;

(ii) Cause the State savings association's stockholders to approve the acquisition or corporate reorganization of the State savings association; or

(iii) Exert a continuing influence on a material aspect of the business operations of the State savings association.

(c) Control factors. For purposes of paragraph (b)(1) of this section, the following constitute control factors. References to the acquiror include actions taken directly or indirectly, or through one or more subsidiaries or transactions or acting in concert with one or more persons or companies:

(1) The acquiror would be one of the two largest holders of any class of voting stock of the State savings association.

(2) The acquiror would hold 25 percent or more of the total stockholders' equity of the State savings association.

(3) The acquiror would hold more than 35 percent of the combined debt securities and stockholders' equity of the State savings association.

(4) The acquiror is party to any agreement:

(i) Pursuant to which the acquiror possesses a material economic stake in the State savings association resulting from a profit-sharing arrangement, use of common names, facilities or personnel, or the provision of essential services to the State savings association; or

(ii) That enables the acquiror to influence a material aspect of the management or policies of the State savings association, other than agreements to which the State savings association is a party where the restrictions are customary under the circumstances and in the case of an acquisition agreement, which apply only during the period when the acquiror is seeking the FDIC's approval to acquire the State savings association, the agreement prohibits transactions between the acquiror and the State savings association and their respective affiliates without approval by the appropriate Regional Director during the pendency of the notice process, and the agreement contains no material forfeiture provisions applicable to the State savings association in the event the acquisition is not approved or not approved by a specified date.

(5) The acquiror would have the ability, other than through the holding of revocable proxies, to direct the votes of 25 percent or more of a class of the State savings association's voting stock or to vote 25 percent or more of a class of the State savings association's voting stock in the future upon the occurrence of a future event.

(6) The acquiror would have the power to direct the disposition of 25 percent or more of a class of the State savings association's voting stock in a manner other than a widely dispersed or public offering.

(7) The acquiror and/or the acquiror's representatives or nominees would constitute more than one member of the State savings association's board of directors.

(8) The acquiror or a nominee or management official of the acquiror would serve as the chairman of the board of directors, chairman of the executive committee, chief executive officer, chief operating officer, chief financial officer or in any position with similar policymaking authority in the State savings association.

(d) Rebuttable presumptions of concerted action. An acquiror will be presumed to be acting in concert with the following persons and companies:

(1) A company will be presumed to be acting in concert with a controlling shareholder, partner, trustee or management official of such company with respect to the acquisition of stock of a State savings association, if

(i) Both the company and the person own stock in the State savings association,

(ii) The company provides credit to the person to purchase the State savings association's stock, or

(iii) The company pledges its assets or otherwise is instrumental in obtaining financing for the person to acquire stock of the State savings association;

(2) A person will be presumed to be acting in concert with members of the person's immediate family;

(3) Persons will be presumed to be acting in concert with each other where

(i) Both own stock in a State savings association and both are also management officials, controlling shareholders, partners, or trustees of another company, or

(ii) One person provides credit to another person or is instrumental in obtaining financing for another person to purchase stock of the State savings association;

(4) A company controlling or controlled by another company and companies under common control will be presumed to be acting in concert;

(5) Persons or companies will be presumed to be acting in concert where they constitute a group under the beneficial ownership reporting rules under section 13 or the proxy rules under section 14 of the Securities Exchange Act of 1934, promulgated by the Securities and Exchange Commission.

(6) A person or company will be presumed to be acting in concert with any trust for which such person or company serves as trustee, except that a tax-qualified employee stock benefit plan as defined in 12 CFR 192.25 shall not be presumed to be acting in concert with its trustee or person acting in a similar fiduciary capacity solely for the purposes of determining whether to combine the holdings of a plan and its trustee or fiduciary.

(7) Persons or companies will be presumed to be acting in concert with each other and with any other person or company with which they also are presumed to act in concert.

(e) Procedures for rebuttal—(1) Rebuttal of control determination. An acquiror attempting to rebut a determination of control that would arise under paragraph (b) of this section shall file a submission with the FDIC setting forth the facts and circumstances which support the acquiror's contention that no control relationship would exist if the acquiror acquires stock or obtains a control factor with respect to a State savings association. The rebuttal must be filed and accepted in accordance with this section before the acquiror acquires such stock or control factor.

(i) An acquiror seeking to rebut the determination of control arising under paragraph (b)(1) of this section shall submit to the FDIC an executed agreement materially conforming to the agreement set forth at §391.48. Unless agreed to by the FDIC in writing, no other agreement or filing shall be deemed to rebut the determination of control arising under paragraph (b)(1) of this section. If accepted by the FDIC the acquiror shall furnish a copy of the executed agreement to the association to which the rebuttal pertains.

(ii) An acquiror seeking to rebut the determination of control with respect to holding of proxies arising under paragraph (b)(2) of this section shall be subject to the requirements of paragraph (e)(1) of this section, except that in the case of a rebuttal of the presumption of control arising under paragraph (b)(2) of this section, the FDIC may require the acquiror to furnish information in response to a specific request for information and depending upon the particular facts and circumstances, to provide an executed rebuttal agreement materially conforming to the agreement set forth at §391.48, with any modifications deemed necessary by the FDIC.

(2) Presumptions of concerted action. An acquiror attempting to rebut the presumption of concerted action arising under paragraph (d) of this section shall file a submission with the FDIC setting forth facts and circumstances which clearly and convincingly demonstrate the acquiror's contention that no action in concert exists. Such a statement must be accompanied by an affidavit, in form and content satisfactory to the FDIC, executed by each person or company presumed to be acting in concert, stating that such person or company does not and shall not, without having made necessary filings and obtained approval or clearance thereof under the Holding Company Act or the Control Act, as applicable, have any agreements or understandings, written or tacit, with respect to the exercise of control, directly or indirectly, over the management or policies of the State savings association, including agreements relating to voting, acquisition or disposition of the State savings association's stock. The affidavit shall also recite that the signatory is aware that the filing of a false affidavit may subject the person or company to criminal sanctions, would constitute a violation of the FDIC's regulations at §390.355(b) and would be considered a “presumptive disqualifier” under 12 CFR 391.46(g)(1)(v).

(3) Determination. A rebuttal filed pursuant to paragraph (e) of this section shall not be deemed sufficient unless it includes all the information, agreements, and affidavits required by the FDIC and this subpart, as well as any additional relevant information as the FDIC may require by written request to the acquiror. Within 20 calendar days after proper filing of a rebuttal submission, the FDIC will provide written notification of its determination to accept or reject the submission; request additional information in connection with the submission; or return the submission to the acquiror as materially deficient. Within 15 calendar days after proper filing of any additional information furnished in response to a specific request by the FDIC, the FDIC shall notify the acquiror in writing as to whether the rebuttal is thereby deemed to be sufficient. If the FDIC fails to notify an acquiror within such time, the rebuttal shall be deemed to be accepted. The FDIC may reject any rebuttal which is inconsistent with facts and circumstances known to it or where the rebuttal does not clearly and convincingly refute the rebuttable determination of control or presumption of action in concert, and may determine to reject a submission solely on such bases.

(f) Safe harbor. Notwithstanding any other provision of this section, where an acquiror has no intention to participate in or to seek to exercise control over a State savings association's management or policies, the acquiror may seek to qualify for a safe harbor with respect to its ownership of stock of a State savings association.

(1) In order to qualify for the safe harbor, an acquiror must submit a certification to the FDIC that shall be signed by the acquiror or an authorized representative thereof and shall read as follows:

The undersigned makes this submission pursuant to §391.43(f) with respect to [name of State savings association] and hereby certifies to the FDIC the following:

The undersigned is not in control of [name of State savings association] under §391.43(a);

The undersigned is not subject to any control factor as enumerated in §391.43(c) with respect to the [name of State savings association];

The undersigned will not solicit proxies relating to the voting stock of [name of State savings association];

Before any change in status occurs that would bring the undersigned within the scope of §391.43(a) or (b), the undersigned will file and obtain approval of a rebuttal, or non-disapproval of a notice, or holding company application, as appropriate.

The undersigned has not acquired stock of [name of State savings association] for the purpose or effect of changing or influencing the control of [name of State savings association] or in connection with or as a participant in any transaction having such purpose or effect.

(2) An acquiror claiming safe-harbor status may vote freely and dissent with respect to its own stock. Certifications provided for in this paragraph must be filed with FDIC in accordance with §§390.106 and 390.108.

§391.44   Certifications of ownership.

(a) Acquisition of stock. (1) Upon the acquisition of beneficial ownership that exceeds, in the aggregate, 10 percent of any class of stock of a State savings association or additional stock above 10 percent of the stock of a State savings association occurring after December 26, 1985, an acquiror shall file with the FDIC a certification as described in this section.

(2) The certification filed pursuant to this section shall be signed by the acquiror or an authorized representative thereof and shall read as follows:

The undersigned is the beneficial owner of 10 percent or more of a class of stock of [name of State savings association]. The undersigned is not in control of such association, as defined in 12 CFR 391.43(a), and is not subject to a rebuttable determination of control under §391.43(b), and will take no action that would result in a determination of control or a rebuttable determination of control without first filing and obtaining approval of an application under the Savings and Loan Holding Company Act, 12 U.S.C. 1467a, or a notice under the Change in Bank Control Act, 12 U.S.C. 1817(j), or filing and obtaining acceptance by the FDIC of a rebuttal of the rebuttable determination of control.

(3) Notwithstanding anything contained in this paragraph (a), an acquiror is not required to file a certification if—

(i) The FDIC has issued a notice of non-disapproval of the acquisition of the State savings association; or

(ii) The acquiror has filed a materially complete notice pursuant to §391.42.

(b) Privacy. All certifications filed under this §391.44 shall be for the information of the FDIC in connection with its examination functions and shall be provided confidential treatment by the FDIC.

§391.45   Procedural requirements.

(a) Form of application or notice. A notice required by §391.42 shall be filed on the form indicated below. An acquiror may request confidential treatment of portions of a notice only by complying with the requirements of paragraph (f) of this section.

(a)(1)-(5) [Reserved]

(6) Notice Form 1393, parts A and B. This form shall be used for all notices filed under §391.42(b) regarding the acquisition of control of a State savings association by any person or persons not constituting a company.

(b) Filing requirements—(1) Notices and rebuttals. (i) Complete copies including exhibits and all other pertinent documents of notices, and rebuttal submissions shall be filed with the appropriate Regional Director in the region in which the State savings association or associations involved in the transaction have their home office or offices. Unsigned copies shall be conformed. Each copy shall include a summary of the proposed transaction.

(ii) Any person or company may amend a notice or rebuttal submission, or file additional information, upon request of the FDIC or, in the case of the party filing a notice or rebuttal, upon such party's own initiative.

(2) [Reserved]

(c) Sufficiency and waiver. (1) Except as provided in §391.45(c)(5), a notice filed pursuant to §391.42(b) shall not be deemed sufficient unless it includes all of the information required by the form prescribed by the FDIC and this section, including a complete description of the acquiror's proposed plan for acquisition of control whether pursuant to one or more transactions, and any additional relevant information as the FDIC may require by written request to the acquiror. Unless a notice specifically indicates otherwise, the notice shall be considered to pertain to acquisition of 100 percent of a State savings association's voting stock. Where a notice pertains to a lesser amount of stock, the FDIC may condition its non-disapproval to apply only to such amount, in which case additional acquisitions may be made only by amendment to the acquiror's notice and the FDIC's approval or non-disapproval thereof. Failure by an applicant to respond completely to a written request by the FDIC for additional information within 30 calendar days of the date of such request may be deemed to constitute withdrawal of the notice or rebuttal filing or may be treated as grounds for issuance of a notice of disapproval of a notice or rejection of a rebuttal.

(2) The period for the FDIC's review of any proposed acquisition will commence upon receipt by the FDIC of a notice deemed sufficient under paragraph (c)(1) of this section. The FDIC shall notify an acquiror in writing within 30 calendar days after proper filing of a notice as to whether the notice—

(i) Is sufficient;

(ii) Is insufficient, and what additional information is requested in order to render the application or notice sufficient; or

(iii) Is materially deficient and will not be processed. The FDIC shall also notify an acquiror in writing within 15 calendar days after proper filing of any additional information furnished in response to a specific request by the FDIC as to whether the notice is thereby deemed to be sufficient. If the FDIC fails to so notify an acquiror within such time, the application or notice shall be deemed to be sufficient as of the expiration of the applicable period.

(3) After additional information has been requested and supplied, the FDIC may request additional information only with respect to matters derived from or prompted by information already furnished, or information of a material nature that was not reasonably available from the acquiror, was concealed, or pertains to developments subsequent to the time of the FDIC's initial request for additional information. With regard to information of a material nature that was not reasonably available from the acquiror or was concealed at the time a notice was deemed to be sufficient or which pertains to developments subsequent to the time a notice was deemed to be sufficient, the FDIC, at its option, may request such additional information as it considers necessary, or may deem the notice not to be sufficient until such additional information is furnished and cause the review period to commence again in its entirety upon receipt of such additional information.

(i) The 60-day period for the FDIC's review of a notice deemed to be sufficient also may be extended by the FDIC for up to an additional 30 days.

(ii) The period for the FDIC's review of a notice may be further extended not to exceed two additional times for not more than 45 days each time if—

(A) The FDIC determines that any acquiring party has not furnished all the information required under this subpart;

(B) In the FDIC's judgment, any material information submitted is substantially inaccurate;

(C) The FDIC has been unable to complete an investigation of each acquiror because of any delay caused by, or the inadequate cooperation of, such acquiror; or

(D) The FDIC determines that additional time is needed to investigate and determine that no acquiring party has a record of failing to comply with the requirements of subchapter II of chapter 53 of title 31 of the United States Code.

(4) [Reserved]

(5) The FDIC may waive any requirements of this paragraph (c) determined to be unnecessary by the FDIC, upon its own initiative, upon the written request of an acquiring person, or in a supervisory case.

(d) Public notice. (1) The acquiror must publish a public notice of a notice under §391.42(b), in accordance with the procedures in §§390.111 through 390.115. Promptly after publication, the acquiror must transmit copies of the public notice and the publisher's affidavit to FDIC.

(2) The acquiror must provide a copy of the public notice to the State savings association whose stock is sought to be acquired, and may provide a copy of the public notice to any other person who may have an interest in the notice.

(3) The FDIC will notify the appropriate state supervisor and will notify persons whose requests for announcements, as described in 12 CFR 163e, appendix B, have been received in time for the notification. The FDIC may also notify any other persons who may have an interest in the notice.

(e) Submission of comments. Commenters may submit comments on the notice in accordance with the procedures in §§390.116 through 390.120.

(f) Disclosure. (1) Any notice, other filings, public comment, or portion thereof, made pursuant to this subpart for which confidential treatment is not requested in accordance with this paragraph (f), shall be immediately available to the public and not subject to the procedures set forth herein. Public disclosure shall be made of other portions of a notice, other filing or public comment in accordance with paragraph (f)(2) of this section, the provisions of the Freedom of Information Act (5 U.S.C. 552a) and parts 309 and 310. Applicants and other submitters should provide confidential and non-confidential versions of their filings, as described in §391.45(f)(2) and (3) in order to facilitate this process.

(2) Any person who submits any information or causes or permits any information to be submitted to the FDIC pursuant to this subpart may request that the FDIC afford confidential treatment under the Freedom of Information Act to such information for reasons of personal privacy or business confidentiality, which shall include such information that would be deemed to result in the commencement of a tender offer under §240.14d-2 of title 17 of the Code of Federal Regulations, or for any other reason permitted by Federal law. Such request for confidentiality must be made and justified in accordance with paragraph (f)(5) of this section at the time of filing, and must, to the extent practicable, identify with specificity the information for which confidential treatment may be available and not merely indicate portions of documents or entire documents in which such information is contained. Failure to specifically identify information for which confidential treatment is requested, failure to specifically justify the bases upon which confidentiality is claimed in accordance with paragraph (f)(5) of this section, or overbroad and indiscriminate claims for confidential treatment, may be bases for denial of the request. In addition, the filing party should take all steps reasonably necessary to ensure, as nearly as practicable, that at the time the information is first received by the FDIC it is supplied segregated from information for which confidential treatment is not being requested, it is appropriately marked as confidential, and it is accompanied by a written request for confidential treatment which identifies with specificity the information as to which confidential treatment is requested. Any such request must be substantiated in accordance with paragraph (f)(5) of this section.

(3) All documents which contain information for which a request for confidential treatment is made or the appropriate segregable portions thereof shall be marked by the person submitting the records with a prominent stamp, typed legend, or other suitable form of notice on each page or segregable portion of each page, stating “Confidential Treatment Requested by [name].” If such marking is impracticable under the circumstances, a cover sheet prominently marked “Confidential Treatment Requested by [name]” should be securely attached to each group of records submitted for which confidential treatment is requested. Each of the records transmitted in this manner should be individually marked with an identifying number and code so that they are separately identifiable.

(4) A determination as to the validity of any request for confidential treatment may be made when a request for disclosure of the information under the Freedom of Information Act is received, or at any time prior thereto. If the FDIC receives a request for the information under the Freedom of Information Act, FDIC will advise the filing party before it discloses material for which confidential treatment has been requested.

(5) Substantiation of a request for confidential treatment shall consist of a statement setting forth, to the extent appropriate or necessary for the determination of the request for confidential treatment, the following information regarding the request:

(i) The reasons, concisely stated and referring to specific exemptive provisions of the Freedom of Information Act, why the information should be withheld from access under the Freedom of Information Act;

(ii) The applicability of any specific statutory or regulatory provisions which govern or may govern the treatment of the information;

(iii) The existence and applicability of any prior determination by the FDIC, other Federal agencies, or a court, concerning confidential treatment of the information;

(iv) The adverse consequences to a business enterprise, financial or otherwise, that would result from disclosure of confidential commercial or financial information, including any adverse effect on the business' competitive position;

(v) The measures taken by the business to protect the confidentiality of the commercial or financial information in question and of similar information, prior to, and after, its submission to the FDIC;

(vi) The ease or difficulty of a competitor's obtaining or compiling the commercial or financial information;

(vii) Whether commercial or financial information was voluntarily submitted to the FDIC, and, if so, whether and how disclosure of the information would tend to impede the availability of similar information to the FDIC;

(viii) The extent, if any, to which portions of the substantiation of the request for confidential treatment should be afforded confidential treatment;

(ix) The amount of time after the consummation of the proposed acquisition for which the information should remain confidential and a justification thereof;

(x) Such additional facts and such legal and other authorities as the requesting person may consider appropriate.

(6) Any person requesting access to a notice, other filing, or public comment made pursuant to this subpart for purposes of commenting on a pending submission may prominently label such request: “Request for Disclosure of Filing(s) Made Under Subpart E of Part 391/Priority Treatment Requested.”

(g) Supervisory cases. The provisions of paragraphs (d), (e), and (f) of this section may be waived by the FDIC in connection with a transaction approved by the FDIC for supervisory reasons.

(h) Notification of State supervisor. Upon receiving a notice relating to an acquisition of control of a State savings association, the FDIC shall forward a copy of the notice to the appropriate state savings and loan association supervisory agency, and shall allow 30 days within which the views and recommendations of such state supervisory agency may be submitted. The FDIC shall give due consideration to the views and recommendations of such state agency in determining whether to disapprove any proposed acquisition. Notwithstanding the provisions of this paragraph (h), if the FDIC determines that it must act immediately upon any notice of a proposed acquisition in order to prevent the default of the association involved in the proposed acquisition, the FDIC may dispense with the requirement of this paragraph (h) or, if a copy of the notice is forwarded to the state supervisory agency, the FDIC may request that the views and recommendations of such state supervisory agency be submitted immediately in any form or by any means acceptable to the FDIC.

(i) Additional procedures for acquisitions involving mergers. Acquisitions of control involving mergers (including mergers with an interim association) shall also be subject to the procedures set forth in §390.332 to the extent applicable, except as provided in paragraph (a) of this section.

(j) Additional procedures for acquisitions of recently converted State savings associations. Notices and rebuttals involving acquisitions of the stock of a recently converted State savings association under 12 CFR 192.3(i)(3) shall also address the criteria for approval set forth at 12 CFR 192.3(i)(5).

§391.46   Determination by the FDIC.

(a)-(c) [Reserved]

(d) Notice criteria. In making its determination whether to disapprove a notice, the FDIC may disapprove any proposed acquisition, if the FDIC determines that:

(1) The proposed acquisition of control would result in a monopoly or would be in furtherance of any combination or conspiracy to monopolize or to attempt to monopolize the banking business in any part of the United States;

(2) The effect of the proposed acquisition of control in any section of the country may be substantially to lessen competition or to tend to create a monopoly or the proposed acquisition of control would in any other manner be in restraint of trade, and the anticompetitive effects of the proposed acquisition of control are not clearly outweighed in the public interest by the probable effect of the transaction in meeting the convenience and needs of the community to be served;

(3) The financial condition of the acquiring person is such as might jeopardize the financial stability of the association or prejudice the interests of the depositors of the State savings association;

(4) The competence, experience, or integrity of the acquiring person or any of the proposed management personnel indicates that it would not be in the interests of the depositors of the State savings association, the FDIC, or the public to permit such person to control the State savings association;

(5) The acquiring person fails or refuses to furnish information requested by the FDIC; or

(6) The FDIC determines that the proposed acquisition would have an adverse effect on the Deposit Insurance Fund.

(e) Failure to disapprove a notice. If, upon expiration of the 60-day review period of any notice deemed to be sufficient filed pursuant to §391.45(c), or extension thereof, the FDIC has failed to disapprove such notice, the proposed acquisition may take place: Provided, That it is consummated within one year and in accordance with the terms and representations in the notice and that there is no material change in circumstances prior to the acquisition.

(f) [Reserved]

(g) Presumptive disqualifiers—(1) Integrity factors. The following factors shall give rise to a rebuttable presumption that an acquiror may fail to satisfy the integrity test of paragraph (d)(4) of this section:

(i) During the 10-year period immediately preceding filing the notice, criminal, civil or administrative judgments, consents or orders, and any indictments, formal investigations, examinations, or civil or administrative proceedings (excluding routine or customary audits, inspections and investigations) that terminated in any agreements, undertakings, consents or orders, issued against, entered into by, or involving the acquiror or affiliates of the acquiror by any federal or state court, any department, agency, or commission of the U.S. Government, any state or municipality, any Federal Home Loan Bank, any self-regulatory trade or professional organization, or any foreign government or governmental entity, which involve:

(A) Fraud, moral turpitude, dishonesty, breach of trust or fiduciary duties, organized crime or racketeering;

(B) Violation of securities or commodities laws or regulations;

(C) Violation of depository institution laws or regulations;

(D) Violation of housing authority laws or regulations; or

(E) Violation of the rules, regulations, codes of conduct or ethics of a self-regulatory trade or professional organization;

(ii) Denial, or withdrawal after receipt of formal or informal notice of an intent to deny, by the acquiror or affiliates of the acquiror, of

(A) Any application relating to the organization of a financial institution,

(B) An application to acquire any financial institution or holding company thereof under the Holding Company Act or the Bank Holding Company Act or otherwise,

(C) A notice relating to a change in control of any of the foregoing under the Control Act or the Repealed Control Act; or

(D) An application or notice under a state holding company or change in control statute;

(iii) The acquiror or affiliates of the acquiror were placed in receivership or conservatorship during the preceding 10 years, or any management official of the acquiror was a management official or director (other than an official or director serving at the request of the FDIC, the former Resolution Trust Corporation, or the former Federal Savings and Loan Insurance Corporation) or controlling shareholder of a company or savings association that was placed into receivership, conservatorship, or a management consignment program, or was liquidated during his or her tenure or control or within two years thereafter;

(iv) Felony conviction of the acquiror, an affiliate of the acquiror or a management official of the acquiror or an affiliate of the acquiror;

(v) Knowingly making any written or oral statement to the FDIC or any predecessor agency (or its delegate) in connection with a notice or other filing under this subpart that is false or misleading with respect to a material fact or omits to state a material fact with respect to information furnished or requested in connection with such notice or other filing;

(vi) Acquisition and retention at the time of submission of a notice, of stock in the State savings association by the acquiror in violation of §391.42 or its predecessor sections.

(2) Financial factors. The following shall give rise to a rebuttable presumption that an acquiror may fail to satisfy the financial condition test of paragraph (d)(3) of this section:

(i) Liability for amounts of debt which, in the opinion of the FDIC, create excessive risks of default and pressure on the State savings association to be acquired; or

(ii) Failure to furnish a business plan or furnishing a business plan projecting activities which are inconsistent with economical home financing.

§391.47   [Reserved]

§391.48   Rebuttal of control agreement.

Agreement

Rebuttal of Rebuttable Determination Of Control Under Subpart A

I. WHEREAS

A. [  ] is the owner of [  ] shares (the “Shares”) of the [  ] stock (the “Stock”) of [name and address of State savings association], which Shares represent [  ] percent of a class of “voting stock” of [  ] as defined under the Acquisition of Control Regulations (“Regulations”) of the FDIC, Subpart A of Part 391 (“Voting Stock”);

B. [  ] is a “State savings association” within the meaning of the Regulations;

C. [  ] seeks to acquire additional shares of stock of [  ] (“Additional Shares”), such that [  ]'s ownership thereof will represent 10 percent or more of a class of Voting Stock but will not represent 25 percent or more of any class of Voting Stock of [  ]; [and/or] [  ] seeks to [  ], which would constitute the acquisition of a “control factor” as defined in the Regulations (“Control Factor”);

D. [  ] does not seek to acquire the [Additional Shares or Control Factor] for the purpose or effect of changing the control of [  ] or in connection with or as a participant in any transaction having such purpose or effect;

E. The Regulations require a company or a person who intends to hold 10 percent or more but not 25 percent or more of any class of Voting Stock of a State savings association or holding company thereof and that also would possess any of the Control Factors specified in the Regulations, to file and obtain clearance of a notice (“Notice”) under the Change in Control Act (“Control Act”), 12 U.S.C. 1817(j), prior to acquiring such amount of stock and a Control Factor unless the rebuttable determination of control has been rebutted.

F. Under the Regulations, [  ] would be determined to be in control, subject to rebuttal, of [  ] upon acquisition of the [Additional Shares or Control Factor];

G. [  ] has no intention to manage or control, directly or indirectly, [  ];

H. [  ] has filed on [  ], a written statement seeking to rebut the determination of control, attached hereto and incorporated by reference herein, (this submission referred to as the “Rebuttal”);

I. In order to rebut the rebuttable determination of contro1, [  ] agrees to offer this Agreement as evidence that the acquisition of the [Additional Shares or Control Factor] as proposed would not constitute an acquisition of control under the Regulations.

II. The FDIC has determined, and hereby agrees, to act favorably on the Rebuttal, and in consideration of such a determination and agreement by the FDIC to act favorably on the Rebuttal, [  ] and any other existing, resulting or successor entities of [  ] agree with the FDIC that:

A. Unless [  ] shall have filed a Notice under the Control Act, or an Application under the Holding Company Act, as appropriate, and shall have obtained clearance of the Notice in accordance with the Regulations, [  ] will not, except as expressly permitted otherwise herein or pursuant to an amendment to this Rebuttal Agreement:

1. Seek or accept representation of more than one member of the board of directors of [insert name of State savings association and any holding company thereof];

2. Have or seek to have any representative serve as the chairman of the board of directors, or chairman of an executive or similar committee of [insert name of State savings association and any holding company thereof]'s board of directors or as president or chief executive officer of [insert name of State savings association and any holding company thereof];

3. Engage in any intercompany transaction with [  ] or [  ]'s affiliates;

4. Propose a director in opposition to nominees proposed by the management of [insert name of State savings association and any holding company thereof] for the board of directors of [insert name of State savings association and any holding company thereof] other than as permitted in paragraph A-1;

5. Solicit proxies or participate in any solicitation of proxies with respect to any matter presented to the stockholders [  ] other than in support of, or in opposition to, a solicitation conducted on behalf of management of [  ];

6. Do any of the following, except as necessary solely in connection with [  ]'s performance of duties as a member of [  ]'s board of directors:

(a) Influence or attempt to influence in any respect the loan and credit decisions or policies of [  ], the pricing of services, any personnel decisions, the location of any offices, branching, the hours of operation or similar activities of [  ];

(b) Influence or attempt to influence the dividend policies and practices of [  ] or any decisions or policies of [  ] as to the offering or exchange of any securities;

(c) Seek to amend, or otherwise take action to change, the bylaws, articles of incorporation, or charter of [  ];

(d) Exercise, or attempt to exercise, directly or indirectly, control or a controlling influence over the management, policies or business operations of [  ]; or

(e) Seek or accept access to any non-public information concerning [  ].

B. [  ] is not a party to any agreement with [  ].

C. [  ]shall not assist, aid or abet any of [  ]'s affiliates or associates that are not parties to this Agreement to act, or act in concert with any person or company, in a manner which is inconsistent with the terms hereof or which constitutes an attempt to evade the requirements of this Agreement.

D. Any amendment to this Agreement shall only be proposed in connection with an amended rebuttal filed by [  ] with the FDIC for its determination;

E. Prior to acquisition of any shares of “Voting Stock” of [  ] as defined in the Regulations in excess of the Additional Shares, any required filing will be made by [  ] under the Control Act or the Holding Company Act and either approval of the acquisition under the Holding Company Act shall be obtained or any Notice filed under the Control Act shall be cleared in accordance with the Regulations;

F. At any time during which 10 percent or more of any class of Voting Stock of [  ] is owned or controlled by [  ], no action which is inconsistent with the provisions of this Agreement shall be taken by [  ] until [  ] files and either obtains from the FDIC a favorable determination with respect to either an amended rebuttal or clearance of a Notice under the Control Act, in accordance with the Regulations;

G. Where any amended rebuttal filed by[  ] is denied or disapproved, [  ] shall take no action which is inconsistent with the terms of this Agreement, except after either (1) reducing the amount of shares of Voting Stock of [  ] owned or controlled by [  ] to an amount under 10 percent of a class of Voting Stock, or immediately ceasing any other actions that give rise to a conclusive or rebuttable determination of control under the Regulations; or (2) filing a Notice under the Control Act, or an Application under the Holding Company Act, as appropriate, and either obtaining approval of the Application or clearance of the Notice, in accordance with the Regulations;

H. Where any Notice filed by [  ] is disapproved, [  ] shall take no action which is inconsistent with the terms of this Agreement, except after reducing the amount of shares of Voting Stock of [  ] owned or controlled by [  ] to an amount under 10 percent of any class of Voting Stock, or immediately ceasing any other actions that give rise to a conclusive or rebuttable determination of control under the Regulations;

I. Should circumstances beyond [  ]'s control result in [  ] being placed in a position to direct the management or policies of [  ], then [  ] shall either (1) promptly file a Notice under the Control Act or an Application under the Holding Company Act, as appropriate, and take no affirmative steps to enlarge that control pending either a final determination with respect to the Application or Notice, or (2) promptly reduce the amount of shares of [  ] Voting Stock owned or controlled by [  ] to an amount under 10 percent of any class of Voting Stock or immediately cease any actions that give rise to a conclusive or rebuttable determination of control under the Regulations;

J. By entering into this Agreement and by offering it for reliance in reaching a decision on the request to rebut the presumption of control under the Regulations, as long as 10 percent or more of any class of Voting Stock of [  ] is owned or controlled, directly or indirectly, by [  ], and [  ] possesses any Control Factor as defined in the Regulations, [  ] will submit to the jurisdiction of the Regulations, including (1) the filing of an amended rebuttal or Notice for any proposed action which is prohibited by this Agreement, and (2) the provisions relating to a penalty for any person who willfully violates or with reckless disregard for the safety or soundness of a State savings association participates in a violation of the Control Act and the Regulations thereunder, and any regulation or order issued by the FDIC.

K. Any violation of this Agreement shall be deemed to be a violation of the [Control Act or Holding Company Act] and the Regulations, and shall be subject to such remedies and procedures as are provided in the [Control Act or Holding Company Act] and the Regulations for a violation thereunder and in addition shall be subject to any such additional remedies and procedures as are provided under any other applicable statutes or regulations for a violation, willful or otherwise, of any agreement entered into with the FDIC.

III. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original but all of which counterparts collectively shall constitute one instrument representing the Agreement among the parties thereto. It shall not be necessary that any one counterpart be signed by all of the parties hereto as long as each of the parties has signed at least one counterpart.

IV. This Agreement shall be interpreted in a manner consistent with the provisions of the Rules and Regulations of the FDIC.

V. This Agreement shall terminate upon (i) clearance by the FDIC of [  ]'s Notice under the Control Act to acquire [  ], and consummation of the transaction as described in Notice, (ii) in the disposition by [  ] of a sufficient number of shares of [  ], or (iii) the taking of such other action that thereafter [  ] is not in control and would not be determined to be in control of [  ] under the Control Act or the Regulations of the FDIC as in effect at that time.

VI. In Witness Thereof, the parties thereto have executed this Agreement by their duly authorized officer.

___

[Acquiror]

Federal Deposit Insurance Corporation.



For questions or comments regarding e-CFR editorial content, features, or design, email ecfr@nara.gov.
For questions concerning e-CFR programming and delivery issues, email webteam@gpo.gov.