OCC 2001-35
OCC Bulletin
Subject:  Examination Procedures to Evaluate Compliance 
          with the Guidelines to Safeguard Customer 
          Information
Description: Examination Procedures
Date: July 18, 2001

TO:	Chief Executive Officers of All National Banks, 
        Federal Branches and Agencies, Service Providers 
        and Software Vendors, Department and Division 
        Heads, and All Examining Personnel

This bulletin transmits examination procedures for 
reviewing a national bank's compliance with "Guidelines 
Establishing Standards for Safeguarding Customer 
Information" (guidelines).  The guidelines were issued on 
February 15 in OCC Bulletin 2001-8.  The guidelines are 
mandated by Section 501 of the Gramm-Leach-Bliley Act of 
1999 (GLBA) and effective July 1.  The attached 
"Examination Procedures to Evaluate Compliance with the 
Guidelines to Safeguard Customer Information" are risk-
based and allow examiners to tailor the examination scope 
according to the size and complexity of the bank, the 
nature and scope of its activities, and the level of risk
assumed by the institution.  The examination procedures 
were developed through an interagency process and jointly 
adopted by the FDIC, OCC, OTS, and NCUA.  

Typically, OCC examiners will use these procedures in the 
OCC's largest banks, banks with complex information 
technology (IT) environments, banks where significant 
information security concerns have been identified, or 
where less experienced examiners need more detailed 
guidance.  For community banks, the OCC has incorporated 
less detailed procedures in the Community Bank 
Supervision booklet of the Comptroller's Handbook.  The 
revised booklet, which will be reissued early in the 
third quarter of 2001, will include IT procedures that 
focus on the adequacy of a bank's risk management 
processes and controls to promote the integrity, 
availability and confidentiality of automated information
and systems. Attached is an advance copy of the section 
on information technology that will appear in the 
forthcoming Community Bank Supervision booklet.  The 
sections in boldface type are examination objectives and 
procedures that are specifically related to complying 
with the guidelines.  When significant concerns or risks 
are identified, the examiners would expand their coverage
to include the attached interagency examination 
procedures. 

Questions regarding these examination procedures should 
be directed to your supervisory office or to the Bank 
Technology Division at (202) 874-5920.


____________________________________
Clifford A. Wilke
Director, Bank Technology Division

Attachment A: Examination Procedures
Attachment B: Information Technology Portion of draft 
Community Bank Supervision booklet