Thursday, April 18, 2024

January 2005 Legal Briefs

Guidelines on Security & Disposal of “Consumer Information”

  1. Broadened Emphasis
  2. What Information?
  3. Changes in Procedures and Contracts?
  4. Where to Find the New Provisions.
  5. Some Information-Protection and Information-Disposal Issues and Examples
    a. Directors’ Packets.   
    b. E-mails and Files on a Computer 
    c. Files and Other Paper Documents.

Paying Deposits to Heirs Based on Small-Estate Affidavits

Guidelines on Security & Disposal of “Consumer Information”

As required by Section 216 of the FACT Act, the Federal banking regulatory agencies—the OCC, Fed, FDIC and OTS (referred to herein as Agencies)–have recently adopted a regulation concerning proper security in maintaining, and properly disposing of, “consumer information”—which means credit reports, as well as all other material (loan reviews, memos, letters to debtors or applicants, computer files, e-mails, etc.) containing information partially derived from credit reports, that a bank maintains or possesses for a business purpose.  The new regulation applies to banks and their holding companies, and becomes effective on July 1, 2005.  

(Based on the Fair Credit Reporting Act’s definition of “consumer report,” the provisions also apply to “consumer information” obtained from limited-purpose “consumer reporting agencies,” including check-approval companies such as TeleChek.  If a bank uses a check-approval company in opening new accounts, whatever is received from that company will also be “consumer information,” and any manner in which that information is recorded or summarized in the bank’s records—such as the notation, “declined (or approved) based on TeleChek”–also becomes “consumer information.” Such information must be maintained under reasonable security, until finally properly disposed of.)

 A few persons have commented that it may be difficult for banks to locate and track all “consumer information” in their existing information systems (whether in the form of paper files, microfilm, electronically imaged documents, computer-generated documents, e-mails, etc.).   Banks previously have not needed to think about their records, nor classify their records, in terms of what may be partly derived from a “consumer report”.  Without going through everything that exists, a bank cannot easily locate or identify every record that requires appropriate information-security and information-disposal under the new provisions.  

 Probably a much easier way to achieve compliance, and more realistic, is for a bank simply to bring all of its internal documents, and its whole information stream, under certain standardized security and information-disposal standards, as I will explain later with various examples.  (This solves the issues for “consumer information” without having to pin down specifically which of the bank’s records fall in that category.)  But first I want to provide some background, and discuss some specific language in the regulation.

1.  Broadened Emphasis

Effective July 1, 2001, regulations were issued to carry out provisions of the Gramm-Leach-Bliley Act (GLBA).  They required banks to establish and implement an information-security program for protecting customer information.  

The Agencies’ pre-existing “Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” which form part of the 2001 regulations, are now being renamed, with somewhat expanded provisions.  The resulting “Interagency Guidelines Establishing Information Security Standards” now (1) will broaden their coverage from just “customer information” by also adding “consumer information,” and (2) will emphasize that they are part of a bank’s security policy, by putting “security” in the title.  

The revised Guidelines also give more attention to proper disposal of information.  The Agencies point out that under the Guidelines effective since 2001, a bank’s responsibility to safeguard customer information has always implicitly included the information-disposal process.  (Logically, a security program safeguarding customer information is incomplete unless that policy continuously protects the information through final disposal.)  Nevertheless, it’s true that the older Guidelines did not emphasize information-disposal as clearly as the new version does,)

2.  What Information?

The Guidelines have previously applied only to “customer information.” (This is what GLBA specifically protected.)  Depending on the circumstances, “customer information” may be broader or narrower than “consumer information,” which Section 216 of the FACT Act now also requires to be safeguarded).  To satisfy both Acts, the Agencies amended the Guidelines to impose information-security and information-disposal requirements on both “customer information” and “consumer information.”

“Customer information” (already covered by the Guidelines) has the same meaning as in the privacy regulation (Reg P).  First, a person must be a “customer” of the bank before that definition applies.  (In many cases, “consumer” and “customer” describe the same person; but some “customers” of the bank–such as trusts, corporations or LLC’s–are not “consumers” at all.)    

Second, within the meaning of GLBA and the Guidelines, a person does not become a “customer” until he has a continuing relationship with the bank.   (By contrast, a “consumer” could be someone who applies for a loan or deposit account and is turned down based on information from a credit bureau or check-approval company, or someone who decides not to complete the transaction.  In this situation the bank may receive “consumer information,” which the FACT Act requires to be protected, even though it’s not “customer information” because the transaction is not completed.)

Third, the definition of “information” within the phrase “customer information” is quite different in scope from “consumer information.”  The phrase “customer information” includes any information about the customer that is both “nonpublic” and “personal.”  However, “consumer information” under the FACT Act includes only (1) a consumer report, or (2) information derived from a consumer report (remaining identifiable with a particular individual), no matter in what format in may be maintained.   

In many cases, the range of “information” protected by GLBA (“customer information”) is more extensive, but other times could be less extensive, than the range of  “consumer information” protected by the FACT Act.  Information that has actually been derived from a consumer report, for so long as it remains identifiable with a specific consumer, is protected as “consumer information”—even though the particular information may not seem especially “personal” in nature, and may be publicly available from another source.  Nor does the information derived from a consumer report need to be recognizable as coming from a consumer report.   Even a consumer’s prior address, which is not “financial” information as such, is protected as “consumer information” if obtained from a credit report.  Similarly, something as trivial as the correct spelling of a creditor’s name (where the debtor spells it incorrectly), or a creditor’s correct address (a factual detail not disclosing credit history) apparently must be protected as “consumer information” if it is obtained from a credit report, remains linked to the consumer, and is retained by the bank for a business purpose.

3.  Changes in Procedures and Contracts?

Depending on a bank’s existing procedures, the revised Guidelines may not require much change in a bank’s already-existing policies for maintaining security and properly disposing of information within the bank.  (This assumes that the bank’s procedures were already appropriate to meet the prior Guidelines.  It also assumes that most banks have not, for example, been making any distinction between how they deal with (1) credit reports belonging to customers (falling within “customer information” under the Guidelines) and (2) credit reports belonging to declined applicants who do not become customers (which is “consumer information,” not previously covered by the Guidelines).  Presumably, banks have already been applying basically the same information-security and information-disposal procedures to all material that might be “sensitive,” and continuing in that direction is appropriate.   

However, even if a bank thinks its existing policies are good, this revision of the Guidelines is an appropriate occasion for the bank to re-examine its information-security and information-disposal procedures.  The provisions have been “tweaked” and amended a bit, so it’s appropriate to verify that existing policy will adequately cover the Guidelines’ somewhat expanded scope.  

As one example, Part III.D. of the previously-existing Guidelines already required banks to impose certain contractual conditions on third-party service providers (for example, data processors, collection agencies, attorneys,  document-destruction companies, and computer technicians) to properly safeguard the security and confidentiality of “customer information” that those service providers may possess, process, or otherwise have access to, while providing services to the bank.  (The revised version adds “consumer information” to the list of what must be protected.  Depending on the wording of existing contracts, service providers’ previous written agreements may not, now, be quite broad enough to provide the assurances required by the revised Guidelines.)  

Also, the prior version was not explicit about “disposal” of information.  The revised Guidelines, at Part II.B.4. specifically require banks (effective July 1, 2005) to “[e]nsure the proper disposal of customer information and consumer information.”  A corresponding change in Part III.G.4 will require banks, in their contracts with service providers, to obtain assurances that those providers will dispose of consumer information properly (credit reports and any information derived from credit reports) in accordance with the Guidelines.   For contracts with service providers entered into prior to July 1, 2005, banks have until July 1, 2006, to obtain amendments bringing the contracts into compliance with the revised Guidelines’ information-disposal standards.  (New contracts entered into with service providers on or after July 1, 2005, must contain appropriate information-disposal requirements that will become effective immediately when signed.)

4. Where to Find the New Provisions

The various Agencies’ information-security and information-disposal requirements are substantially identical, but there’s a separate version for each agency.  Each separate set of provisions has two parts—(1) a new regulation (which will be expanded later to include other FACT-Act-related requirements), imposing duties on banks to properly dispose of “consumer information” in accordance with revised Guidelines which are cited, and (2) revisions to the Guidelines themselves, which are attached to “safety and soundness” or “minimum standards” requirements of the particular agency.  

The OCC’s version (applicable to national banks) amends Appendix B (Guidelines) attached to 12 C.F.R. Section 30 (Safety and Soundness Standards), and also will add a new Section 41, subpart I (Fair Credit Reporting) to set out consumer-information-disposal duties.  (Section 41 will later include other FACT-Act-related regulations.)

The Federal Reserve’s new revised Guidelines appear in Regulation H, 12 C.F.R. Section 208.3 (for Fed-member state banks), and in Regulation Y, 12 C.F.R. Section 225 (for bank holding companies—and non-bank subsidiaries of holding companies).  Consumer-information-disposal provisions, applicable both to holding companies and Fed-member state banks, are set out in the Fed’s recently enacted Regulation V (Fair Credit Reporting), which is 12 C.F.R. Section 222, subpart I.

The FDIC’s version (applying to non-Fed-member state banks) includes amended Guidelines in 12 C.F.R. Section 364 (Standards for Safety and Soundness), and a new Section 334 (Fair Credit Reporting), with consumer-information-disposal provisions.  The OTS language (for savings associations) amends 12 C.F.R. Section 570 (Safety and Soundness Guidelines and Compliance Procedures) and Section 568 (Security Procedures), and adds a new Section 571 (Fair Credit Reporting), subpart I, regarding consumer-information disposal.

5. Some Information-Protection and Information-Disposal Issues and Examples

Section 216 of the FACT Act emphasizes that (1) a bank has a duty to trace or monitor, and properly safeguard, any information derived from a consumer report (so long as it remains within the control of the bank or any of the bank’s servicing agents); and (2) if the information is subsequently disposed of, by the bank or its servicing agents, the disposal must be properly done.   

Certainly a bank has a legitimate need to use and retain certain information from a credit report, but the bank’s procedures in doing so should not create security weaknesses that may leave the consumer vulnerable to fraud.  The FACT Act has now turned the bank’s privilege to use this information into a legal duty to keep the information from being improperly accessed and used by others.

“Dumpster divers” are only one example of how improper control over consumer information, or improper disposal of that information, can open the door to potential fraud against the consumer.  Almost everyone recognizes that a bank’s stored paper files are “sensitive data”; but bankers may not automatically think of the bank’s imaged documents, computer files, and even e-mails, as being equally vulnerable to improper access, and potentially equally useful in committing fraud.  In some cases, electronic data are easier to copy and steal than paper files.  Just like paper documents, electronic information must be constantly protected from improper access, and finally disposed of properly.   (This applies just as much to a bank’s service providers, such as law firms or collection agencies, which may have certain bank-related consumer information related to pending matters, but may not have security procedures or information-disposal procedures equivalent to what the bank uses.)

Having an appropriate information-disposal policy is not just about finding an appropriate company to shred or burn the bank’s old files.  That much alone will not cover the entire “information stream” that a bank needs to protect, because (1) there are probably a lot of loan-related papers that never make it into a loan file, and that never go to the document-destruction company, (2) there’s electronic information, such as computer files and e-mails, existing separately from the paper files, and this is also in need of protection and proper disposal, and (3) the service providers’ files (paper and electronic) should also be included in an appropriate information-disposal policy.   

It may be useful for a bank to decide how it’s going to get control over the security (and disposal, eventually) of everything within the bank’s information stream.  This goes beyond what the regulation requires, but may be the simplest and most effective way to satisfy the requirements.

Logically, I think this process divides into two parts:  First, identify all situations in which consumer information is physically transferred outside of the bank to persons who are bank-related, such as bank directors and service providers.  Figure out what the appropriate procedures must be, in each situation, to maintain security of this information (and to dispose of this information) outside of the bank, and who will have responsibility to do it, and who will verify that it happens.  

Second, identify various situations where consumer information is used and retained inside the bank, and establish policies for safeguarding this information in each area.  Look at all of the places that consumer information is maintained in the bank, and consider what policies might provide more adequate security for the information held in those places (loan files, papers on the officer’s desk, papers in unlocked desks or file cabinets, files in computers, e-mails on computers, and microfiched or imaged documents.).  Also think of various ways that consumer information is actually disposed of in the bank.  Consider the adequacy (or lack) of procedures for disposing of various forms of information (as outlined in more detail below).

Based on Part III.B. of the Guidelines, a bank’s security and disposal procedures should be “risk-based.”  A bank is not required to think of and protect against absolutely every unlikely, bizarre event that might result in unauthorized access to consumer information, so I don’t want to overemphasize this process; but neither can bank officers afford to ignore the risks that are real.  The bank must design reasonable strategies and procedures to protect against genuine information-security risks.  Each bank can develop procedures appropriate to its own situation.  For example, paper records must be “rendered unreadable,” but the Agencies don’t care how this is accomplished—some records burned, some shredded, some cut up or torn up, etc.   

To highlight some “less-obvious” information-security and information-disposal issues that may arise, I will give some examples:

a. Directors’ Packets.   Directors’ packets may not exactly be a high-risk information-security issue, but this is an excellent example of consumer information getting sent outside the bank to persons for whose actions the bank remains responsible.  Although information-security and information-disposal standards clearly should apply, the directors may have no awareness.  (This may represent a gap in the bank’s policies.)

Directors’ packets provided in advance of board meetings may contain information about specific consumers’ credit history, credit score, or other data derived from a credit report.  (For example, in many cases loan applications by executive officers and other bank insiders need to be approved directly by the board.  Terms for insider loans must be “arm’s-length,” so the board has to understand an individual’s credit quality.  To accomplish this, the individual’s credit report, including credit score, is relevant.  It’s common for at least a summary of the credit report’s contents to be distributed to directors in support of the loan’s proposed terms.  By this means, “consumer information” leaves the bank.)

It’s also common for the board to review a monthly list of past-due loans.  In examining a weakened loan’s status, the board considers the adequacy of collateral, and perhaps the bank obtains an updated credit report to help evaluate the customer’s overall condition.  Information from the credit report is often summarized in the board packet, to help in the board’s deliberations. A board packet might list the borrower’s other major creditors, the total amount of debt currently owed to other creditors, and (if notable) the number of payments that have been “late” to other lenders.  Such data, when extracted from a credit report, automatically become “consumer information” that raises information-security and information-disposal issues, including in the hands of directors.

A bank could develop a strategy for protecting credit-report-related information contained in the board packet from subsequent improper disclosure or inadequate disposal methods.  It may be useful (1) to determine prior to a board meeting what portion of the board materials may be “consumer information”; (2) to put all such information (if possible) on a single page or a few pages; and (3) to collect this consumer information from the board members at the end of the meeting, so that it can be disposed of by shredding at the bank.  This is far superior to allowing the information to pile up indefinitely in a stack in the director’s business office, where it can easily be accessed by unauthorized persons, and then eventually throwing it away without any shredding or burning.  (Certainly the bank should keep a complete copy of the board packet with the minutes of the meeting, but the directors do not need to retain a board packet after they have taken action on the covered items.)

If board members for some reason must retain copies of complete board packets, including “consumer information,” an alternative approach would be to adopt a policy that the directors must keep past months’ board packets in a locked file cabinet or locked desk.  In this scenario there should also be an information-disposal procedure that directors understand and will follow at the appropriate time, such as shredding the information at the director’s office, or returning the materials to the bank’s compliance officer for shredding.

b. E-mails and Files on a Computer.  Assume that a loan officer sends an e-mail to members of the bank’s loan committee, giving a general summary of a loan application and stating the applicant’s credit score, among other things.  The e-mail becomes “consumer information” because it contains information from a credit report.  

Because of its content, this e-mail automatically has “information security” issues. The e-mail ideally should be protected from unauthorized access while it remains undeleted on each loan committee member’s computer; and also, eventually, it needs to be properly disposed of by each loan committee member.

To deal with the first of these issues, the bank may need a policy that protects e-mails while they remain undeleted on the computers of the loan committee members (including outside directors on the loan committee).  To accomplish this, each of the loan committee’s members may need to have an individual e-mail address (not a group e-mail address) that is password-protected, so that (a) e-mail messages relating to loan committee business, directed to that person, cannot be opened by any other person at any time, and (b) any opened but undeleted e-mails relating to loan committee business cannot be accessed by others.  (An e-mail, as the electronic equivalent of a paper file, needs to be “locked up” to keep it from prying eyes, and, when eventually disposed of, needs to be beyond any possibility of retrieval by unauthorized persons.)

Potentially, e-mails containing “consumer information” may be hardest to manage when sent to outside directors on the loan committee, because such e-mails tend to be received on a computer located either at home (where family members may have access), or at the director’s business (where a secretary, having no connection to the bank, frequently is given access to the boss’ e-mails, to deal with situations that may arise, such as when the boss is absent.)

Ideally, if loan-related e-mails are sent, it should be bank policy that recipients (employees or outside directors) will have a password-protected e-mail address and will never disclose their e-mail password to anyone for any reason.  (If, for whatever reason, it is not practical for a recipient to have a password-protected e-mail address, then e-mails containing “consumer information” derived from credit reports should not be sent to that person!)

Some bank employees can be reached only through a “group” e-mail address, such as customerservice@yourbank.com or loandepartment@yourbank.com, which is set up to be constantly monitored by someone (even while employees are on vacation).  The very purpose for which this type of e-mail address is created requires access by multiple people, and that’s appropriate for its own purpose.  But a “group” e-mail address is not an appropriate way to send content-sensitive information that should never be accessible to others, such as “consumer information” derived from credit reports.  The same issue applies if an outside director has only a general business e-mail, accessible by several people, such as mybusiness@aol.com.

A second issue concerns appropriate disposal of e-mails containing “consumer information.”  This question may have several parts.  The first part is actually a retention policy (or a policy against retention):  Should the bank require sensitive e-mails (sent either to employees or outside directors) to be deleted after a certain time—for example, after the loan committee has acted on the particular loan application?   For loan officers, it may be appropriate to print one copy of certain e-mails, placing them in the loan file, and then to destroy the electronic version.  In the case of outside directors, it may be appropriate to require deletion of the e-mails after a certain time, without exception.  

(If the director or loan officer is in the habit of printing off e-mails to study them—which tends to happen with longer documents, or if they contain a lot of precise details or questions–then the print-outs also must be properly protected from unauthorized access (information security) and must be disposed of so thoroughly that they cannot accidentally fall into other hands.)

 E-mails must be deleted from a computer twice, and actually three times, before they are completely gone:  First, the individual e-mail must be deleted, and second, the computer’s “recycle bin” or “deleted items” file must be emptied.  (If a person procrastinates in deleting e-mails or forgets to empty his “deleted items” file regularly, he is not effectively disposing of the “consumer information” in his possession.  It may be appropriate for a compliance officer to send regular reminders to bank employees and loan committee members to empty their “deleted files”—monthly, or at some other interval–and even to ask them monthly to confirm that they have done so.)

The third level of deleting e-mails is something that may occur automatically but only after a certain time.  Most people are unaware that it is possible to “recover” deleted e-mails even after the “deleted items” file has been emptied. Depending on the computer’s default settings, the hard drive may automatically store deleted e-mails for some fixed period of time, such as one month, before they are finally, totally gone. If e-mails are not password-protected, or a computer is donated, traded or sold, someone else may be able to gain access to e-mails even after they are deleted.  

As the Agencies point out, getting rid of a computer that may contain e-mails or other files—for example, a computer in the bank that has been used by a loan officer, or a computer at another location that is the personal property of the loan officer or outside director—is itself a method of “information disposal.” (Potentially it can be as hazardous as throwing sensitive files into a dumpster.)   Disposing of a computer by any means can be improper because of residual information that it contains, unless it has somehow been determined by a person with advanced computer skills that it’s now impossible to recover deleted “consumer information” from that computer.

When a bank, or loan officer (with a home computer), or even an outside director, is ready to sell, donate, throw away or lend an old computer, and that computer may have received files or e-mails containing “consumer information,” bank policy should probably forbid turning over the computer to anyone unless someone with excellent computer skills has first thoroughly, finally, and irretrievably wiped its files clean.  (Employees and directors should be made aware of such a policy, it it’s to be followed.)

A person brought in to “wipe” a computer’s memory before it is sold or donated should be selected with some care (and should provide the required contractual assurances), just as the bank would carefully select someone to shred or burn documents containing “consumer information.”  

Of course, the Agencies do not require high-tech solutions where low-tech solutions would also be effective.  If it is difficult or expensive to bring in someone to “wipe” a computer’s memory before it is donated or thrown out, a bank could simply remove the computer’s hard drive, pound it with a sledge hammer, and throw away what’s left.  While this sounds funny, it’s never desirable to expose customers’ data to would-be thieves, and whatever prevents that is prudent.  It’s common to donate old computers to schools and libraries, but when a computer has truly become outdated and inadequate, it may not be very useful to the school or library anyway, and a better plan might be to donate a new computer and destroy the old one.

(Another e-mail-related issue arises if a bank’s computers are on an internal e-mail server that perhaps either (a) automatically makes a duplicate copy of all e-mails received by bank employees, or (b) “backs up” the e-mail system (and other computer files) on a daily basis to prevent an accidental loss of data.  This type of system at a minimum makes copies of all users’ as-yet-undeleted e-mails and/or other files.  Of course, generating a back-up of files causes extra copies of “consumer information” to be retained for a time.  When these “back-up” copies are automatically “erased” or written over at a future point, only then is there “disposal” of the copied “consumer information.”  Backed-up data could be an extremely rich source for someone desiring to steal sensitive information, and must be protected from unauthorized access.  If there is an e-mail server or other computer data base located off-site (at a service provider’s address), the same information-security and information-disposal issues apply to whatever that service provider may be doing off-site.  
 
c. Files and Other Paper Documents.  Banks usually retain a loan file (or a copy) for the life of the loan plus two years (the time period mentioned in the Oklahoma Banking Department’s retention schedule).  But not every piece of paper in a loan file gets retained for the entire time period.  As time passes, a bank “edits” a file during the life of the loan—for example, by disposing of an old credit report when a new credit report is obtained, or by eliminating some of the original loan paperwork when the loan is renewed.  Some of the information contained in a loan file was perhaps not necessary even in the beginning, and later gets removed.  Some papers in the file may be duplicates, so one copy gets pulled out when the file is reviewed. Also, at some point during the life of the loan (or after the loan is paid off), the bank may want to microfilm or image some of the documents in the file, discarding the physical paper.  

As these examples show, there are many occasions when some document or memo that is “customer information” or “consumer information” could be taken out of a file and discarded.  Banks tend to be very careful about the destruction of old loan files (the entire file), by burning or shredding.  But are they equally careful to properly dispose of each piece of paper that is pulled out of a loan file over the life of a loan?  They probably should be, under the Guidelines’ provisions.

When a loan application is incomplete or is denied, the file is not “customer information” (because a continuing relationship has not been established), but typically there is “consumer information” as defined in the new regulation (either a credit report or information derived from a credit report).  The bank should retain incomplete or denied consumer applications (and related documents) at least 25 months, based on Regulation B.

Because the Guidelines now apply equally to “consumer information” (credit reports, credit scores, etc.) and to “customer information” (such as loan files), a bank should provide the same information-security protections for incomplete or denied applications (with credit reports or credit scores) as it does for loan files, and should dispose of incomplete/denied applications (after 25 months) as thoroughly as it disposes of loan files.

Copies of documents are just as important as the originals in any discussion of “consumer information” and “customer information.”  Bankers think of a loan file as something very important (because at all times a loan file must include proper documentation); but the same bankers may think of a mere copy of something in the loan file as fairly unimportant, having no value in itself.  

This is not the approach taken by the Guidelines.  Each copy of “customer information or “consumer information” is just as vulnerable to being used improperly as every other copy.  Each copy needs to be protected for information-security purposes, and eventually disposed of properly.  If fewer copies exist of sensitive information, information security is simpler; and proper destruction of extra copies decreases opportunities for someone to obtain that information improperly.

Perhaps a loan officer makes hand-written notes to a loan file and asks the loan secretary to type them.  The typed version goes into the loan file, initialed by the officer, and the hand-written draft goes into the trash.  If the notes contain “customer information” or “consumer information,” this is not proper information-disposal.

In a different situation, a new employee may be asked to prepare a copy of materials for a loan committee meeting, or for a loan closing.  Maybe the first copy is too light or dark, or the copy gets printed from the wrong paper tray, or the just-finished previous user made three copies, and the copier now automatically makes three copies of the loan materials, although only one copy is needed. In all these cases, “spoiled” or extra copies tend to be thrown in the trash next to the copier.  The person making the copies may not even be aware of the Guidelines, but this is not proper information-disposal.

As another example, in various situations bank employees may need to copy something that’s in a loan file. For example, to book a loan on the bank’s books, to assign it an account number, and to set up monthly statements on the computer, operations personnel might make a copy of certain loan documents.  (Someone may insist that it’s important to retain the originals in the file, and to keep the file stored properly.  The operations personnel may copy necessary information from the file, then they may throw the copy in the trash when their purpose is accomplished.  This is not proper information-disposal.)

Or a loan customer might call the bank with a question about a loan document.  The issue is researched, but the customer can’t be reached by telephone at the moment.  A copy of the document is made, to refer to when calling the customer again, so that the loan file can be returned to its proper storage place.  When the customer’s question is finally resolved, the person who made the copy no longer needs it, and throws it away.  

These examples illustrate why it could be helpful for a bank to have a document shredder in the loan department (and also probably in the operations department).  This would be convenient in disposing of miscellaneous copies of information that nobody needs anymore, but which really should not be thrown in the trash.  Ideally, each employee should be expected to shred his or her own miscellaneous documents, and to do so promptly.  (If “orphan” documents are piled up in a corner on the theory that someone else will eventually shred them, they could remain unattended/unnoticed for weeks or months at a time.  Proper information-disposal will probably occur eventually, but in the meanwhile there is little information-security.)

Unavoidably, a document shredder breaks down, or it jams because someone tries to shred too many pages or forgets to remove staples.  Then no one can shred anything, until someone decides to fix the problem. Documents could pile up for months. There’s no information-security for these miscellaneous documents in the meanwhile, unless someone recognizes the issue and locks the documents in a closet until they can be sent out for regular information-disposal (or the shredder is fixed).  Ideally, documents that will not be destroyed soon should be locked away while they are accumulating.  

The Guidelines do allow individual banks to adopt procedures appropriate to their particular situation, without necessarily trying to plug every possible, theoretical gap.  Some of what I have discussed may sound like “overkill,” but a bank should consider the various ways it creates, stores, copies, and disposes of information; whether its employees are alert to information-security and information-disposal problems; and whether its procedures for information-security and information-disposal are adequate to address the bank’s circumstances.

Paying Deposits to Heirs Based on Small-Estate Affidavits

As most new-accounts officers realize, a procedure in Section 906 of the Banking Code allows deposits to be paid out to heirs (without an estate proceeding) based on an appropriate affidavit, if (1) the deceased is the sole owner on the account(s)—with no beneficiaries or joint tenants; (2) the deposits are $5,000 or less; (3) the deceased is a legal resident of Oklahoma; (4) the deceased had no will; and (5) the known heirs all sign an affidavit meeting the requirements of Section 906.

But in some cases the procedure in Section 906 simply cannot be used—for example, (1) if the deceased did have a will, even though the deposits are less than $5,000; or (2) if the deceased had no will, but the deposits slightly exceeded $5,000.

In 1998 the Legislature passed an alternative procedure, which is Section 393 of Title 58, Oklahoma Statutes (part of the probate code).   (I discussed the statute’s requirements at length in my articles of December 1998 and January 1999.) In some cases, the Section 393 procedure allows a bank to distribute a deceased’s deposits to heirs where Section 906’s requirements are not met.  (If either section would allow distribution of deposits to heirs under the particular circumstances, it’s permitted.)  A bank officer should be familiar with both provisions, but still in some cases neither statute is satisfied, so a probate cannot be avoided.

Unlike Section 906, the Section 393 procedure can be used even if there is a will, and even if the deposits are somewhat larger than $5,000; however, Section 393 has additional requirements to meet, where Section 906 does not.  Section 393 until now has required that (1) the deceased’s total assets everywhere in Oklahoma (not just deposits), net of debts, cannot exceed $10,000 (excluding assets transferred by joint tenancy, P.O.D., etc.), (2) all debts and taxes of the estate must be paid or provided for, and (3) the heirs must all sign an appropriate affidavit (with different provisions than the affidavit outlined in Section 906).

What has recently changed it that the dollar limit under Section 393 (total assets in Oklahoma, net of debts) has been raised to $20,000 as of November 1, 2004. What this means is that banks will start to see more affidavits prepared in reliance on Section 393; but this statute still will not help in all cases, and many heirs will still have to start a probate, as explained below.   

The biggest problem with using Section 393 is that hardly anybody has an estate so small that the total assets in Oklahoma, net of debts, are less than $10,000.  In the past, any estate including a home, or even a car, plus bank deposits, has generally failed to fit within the $10,000.  (Real estate, cars or bank accounts passing at death by joint tenancy or P.O.D. are not counted in the $10,000 amount, net of debts.)  The new $20,000 limit may work for a few more small estates, where there’s maybe only a car plus some bank deposits, but in many cases it still won’t help if an estate includes real estate, for example, and it is held in sole ownership.  

Section 393 also cannot be used if debts exceed assets.  (If it’s impossible for heirs to swear under Section 393 that debts have been paid or provided for, the bank can’t distribute even a $10 balance to heirs using the Section 393 procedure.  If the person died with a will, then Section 906 also cannot be used to distribute even a $10 balance to heirs.)  

Some probate seminars have been emphasizing the increase in the Section 393 dollar limit to $20,000, so more lawyers are becoming aware of this provision, and banks will start seeing the affidavits more often.  There have been some rumors or questions from bankers concerning whether the $5,000 dollar limit in Section 906 of the Banking Code has been amended to $20,000, or has been pre-empted altogether by new legislation.  None of this is true.  The Section 906 provision continues in effect without change—if you can satisfy it, you can use it.  On the other hand, the Section 393 provision has been increased to $20,000, but it doesn’t apply in the same situations as Section 906.  If you can fit within Section 393’s requirements, as revised, you can use it.  Either statute, separately, is enough, if it applies.