Privacy Act of 1974; System of Records

AGENCY:

Federal Deposit Insurance Corporation (FDIC).

ACTION:

Notice of a new system of records.

SUMMARY:

Pursuant to the provisions of the Privacy Act of 1974, as amended, the Federal Deposit Insurance Corporation (FDIC) is establishing a new system of records titled, FDIC-038, Failed Insured Depository Institution Research. This system of records maintains information collected to conduct research that inform decisions regarding core business objectives of the FDIC, including: Helping the FDIC improve its operations and processes; informing national and international policy discussions and rule-making in areas as varied as resolutions, emerging risks and risk assessments, deposit insurance, and banking policy, among others; and providing important contributions to the broader academic literature on many topics of relevance to the FDIC.

DATES:

This action will become effective on May 16, 2022. The routine uses in this action will become effective on June 15, 2022, unless the FDIC makes changes based on comments received. Written comments should be submitted on or before the routine uses effective date of June 15, 2022.

ADDRESSES:

Interested parties are invited to submit written comments identified by Privacy Act Systems of Records by any of the following methods:

• Agency Website: https://www.fdic.gov/resources/regulations/federal-register-publications/. Follow the instructions for submitting comments on the FDIC website.

• Email: comments@fdic.gov. Include “Comments-SORN” in the subject line of communication.

• Mail: James P. Sheesley, Assistant Executive Secretary, Attention: Comments-SORN, Legal Division, Office of the Executive Secretary, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.

• Hand Delivery: Comments may be hand-delivered to the guard station at the rear of the 17th Street NW building (located on F Street NW), on business days between 7:00 a.m. and 5:00 p.m.

FOR FURTHER INFORMATION CONTACT:

Shannon Dahn, Chief, Privacy Program, 703-516-5500, privacy@fdic.gov.

SUPPLEMENTARY INFORMATION:

I. Background

Pursuant to the provisions of the Privacy Act of 1974, as amended, the FDIC is establishing a new system of records titled, FDIC-038 Failed Insured Depository Institution Research. The SORN is being published to reflect the use of failed insured depository institution data for research purposes. Under the authority of the Federal Deposit Insurance (FDI) Act, the Federal Deposit Insurance Corporation (FDIC) collects data from core systems of failed insured depository institutions. Once the failure of an insured depository institution has been appropriately resolved, the FDIC Division of Insurance and Research (DIR) conducts research using these data that inform decisions regarding core business objectives of the FDIC, including: (a) Helping the FDIC improve its operations and processes; (b) informing national and international policy discussions and rule-making in areas as varied as resolutions, emerging risks and risk assessments, deposit insurance, and banking policy, among others; and (c) providing important contributions to the broader academic literature on many topics of relevance to the FDIC. The data are collected from the failed insured financial institution into electronic and physical storage managed by the FDIC.

This newly established system will be included in FDIC's inventory of record systems.

SYSTEM NAME AND NUMBER:

Failed Insured Depository Institution Research, FDIC-038.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are maintained at FDIC facilities in Arlington, VA, and regional offices. Original and duplicate systems may exist, in whole or in part, at secure sites and on secure servers maintained by third-party service providers for the FDIC.

SYSTEM MANAGER(S):

FDIC Business Data Services System Program Manager, Chief Information Officer Organization, FDIC, 550 17th Street NW, Washington, DC 20429.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Sections 9, 10, 11, and 13 of the Federal Deposit Insurance Act (12 U.S.C. 1819, 1820, 1821, and 1822) and 12 CFR part 380.

PURPOSE(S) OF THE SYSTEM:

The purpose of this system is to conduct research using data from failed insured depository institutions to inform decisions regarding core business objectives of the FDIC, including: (a) Helping the FDIC improve its operations and processes; (b) informing national and international policy discussions and rule-making in areas as varied as resolutions, emerging risks and risk assessments, deposit insurance, and banking policy, among others; and (c) providing important contributions to the broader academic literature on many topics of relevance to the FDIC. The failed financial institution data are collected from the failed insured depository institution into electronic and physical storage managed by the FDIC.

Data may contain personal identifiers. Those personal identifiers may be useful for research purposes. For example, data with personal identifiers may be used for matching records across different systems of a failed depository institution to conduct aggregate analysis on the failed insured depository institution, such as estimating the dollar amount of insured and uninsured deposits at the depository institution. Disclosure limitation methodologies, including disclosure review of research outputs such as tables, charts, text excerpts, and computer code, are used to reduce the risk of unintentional disclosure of information that impacts privacy. The FDIC does not use any research results to make a determination about a specific individual.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Information in the system contains data that have been collected from failed insured depository institutions for which the FDIC was appointed receiver. This includes information about depository institution customers, guarantors, and vendors of the failed insured financial institution, and bank officers, directors, and employees of the failed insured depository institution.

CATEGORIES OF RECORDS IN THE SYSTEM:

Records in the system from the failed insured depository institution fall into the following categories: Loan and collateral files; deposit files; financial institution financials, email, file shares, Suspicious Activity Reports (SAR), Reports of Examinations (ROE), payroll records, human resources records, Board of Directors' minutes, and other related records as necessary to meet the FDIC statutory requirements. The records may include:

• Contact information ( e.g., names, phone numbers, email addresses, physical addresses);

• date of birth;
• Social Security number (SSN);
• mother's maiden name;

• certificates ( e.g., birth, death, naturalization, marriage, etc.);

• employee identification number (EIN);

• driver's license/state identification number, vehicle identifiers ( e.g., license plates);

• legal documents, records, or notes ( e.g., divorce decree);

• financial information;
• employment status/history;
• criminal information; and
• military state and/or records.

RECORD SOURCE CATEGORIES:

Information in this system is collected from failed insured depository institutions for which the FDIC was appointed receiver.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USE:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the FDIC as a routine use as follows:

(1) To a congressional office in response to an inquiry made by the congressional office at the request of the individual who is the subject of the record;

(2) To appropriate agencies, entities, and persons when (a) the FDIC suspects or has confirmed that there has been a breach of the system of records; (b) the FDIC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FDIC (including its information systems, programs, and operations), the Federal Government, or national security; the FDIC and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FDIC's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm;

(3) To another Federal agency or Federal entity, when the FDIC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach;

(4) To contractors, grantees, volunteers, and others performing or working on a contract, service, grant, cooperative agreement, or project for the OIG, the FDIC or the Federal Government in order to assist those entities or individuals in carrying out their obligation under the related contract, grant, agreement or project; and

(5) To academic researchers and researchers from other agencies that serve as visiting scholars performing or working on contract with the FDIC to help the FDIC improve its operations and processes, and inform national and international policy discussions and rule-making in areas as varied as resolutions, emerging risks and risk assessments, deposit insurance, and banking policy, among others.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored in a database and in electronic media hosted in a secure location.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are indexed by failed insured depository institution number and name of insured depository institution. Records may contain personal identifiers for the purpose of matching records. The FDIC retains the personal identifiers after matching, but only for the purpose of performing similar matches for future research and to provide individuals with access to their information pursuant to the record access, contesting records, and notification procedures listed below.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Failed insured depository institution data are maintained for thirty years after appointment of FDIC as receiver in accordance with approved records retention schedules.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Electronic records are password-protected and accessible only by authorized personnel. Access to electronic records is restricted to authorized personnel. Identifiable data is solely under the control of a limited number of employees or contractors who are required to uphold confidentiality restrictions of the FDIC. In addition, any contract personnel who have access to the records are required to sign nondisclosure agreements prior to working with the data. Role-based training on research procedures and the process for disclosure review must be completed prior to obtaining access to the records.

RECORD ACCESS PROCEDURES:

Individuals wishing to request access to records about them in this system of records must submit their request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Requests must include full name, address, and verification of identity in accordance with FDIC regulations at 12 CFR part 310.

CONTESTING RECORD PROCEDURES:

Individuals wishing to contest or request an amendment to their records in this system of records must submit their request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Requests must specify the information being contested, the reasons for contesting it, and the proposed amendment to such information in accordance with FDIC regulations at 12 CFR part 310.

NOTIFICATION PROCEDURES:

Individuals wishing to know whether this system contains information about them must submit their request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Requests must include full name, address, and verification of identity in accordance with FDIC regulations at 12 CFR part 310.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.